[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - allowing a user to add a new attribute

To: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Subject: Re: ACLs - allowing a user to add a new attribute
From: Matt Ingram <mingram@cbnco.com>
Date: Wed, 14 Apr 2010 16:00:26 -0400
Cc: openldap-software@openldap.org
In-reply-to: <20100413144316.GA7107@slab.skills-1st.co.uk>
References: <4BC35500.4000806@cbnco.com> <20100413144316.GA7107@slab.skills-1st.co.uk>
User-agent: Thunderbird 2.0.0.24 (Windows/20100228)

Could you please clarify this comment for me, I don't understand. theonly ACLs I have referring to userPassword is


access to attrs=userPassword

bygroup/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com"write

     by dn.children="ou=Admins,dc=domain,dc=com" write
     by self write
     by * auth

trying to achieve write access for the ldappers group, children of theAdmins ou and self. by self write should give a user the ability tochange their password, correct ? Is there a better ACL for what I'mtrying to achieve ?


Thanks,
Matt.

One comment I would make about your ACLs is that in several places you
are granting read access to userPassword. This is not usually
necessary nor is it a good idea. You need 'by * auth' access to permit
authentication, but only need to give '=w' access to those who need to
change passwords. Remember that the 'write' keyword includes read access.


--
Matt Ingram
Intermediate Unix Administrator, IS
Canadian Bank Note Company, Limited
\m/

Follow-Ups:
- Re: ACLs - allowing a user to add a new attribute
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

References:
- ACLs - allowing a user to add a new attribute
  - From: Matt Ingram <mingram@cbnco.com>
- Re: ACLs - allowing a user to add a new attribute
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>

Prev by Date: Re: ACLs - allowing a user to add a new attribute
Next by Date: Re: ACLs - allowing a user to add a new attribute
Index(es):
- Chronological
- Thread