[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Mac OS X OpenLDAP allows anonymous access to all fields
Am Mon, 13 Dec 2010 16:22:44 GMT
schrieb "RAT" <robert3t@netzero.net>:
> I am experimenting with authenticating users off of OpenLDAP. The
> default deployment from Apple seems to be (at least in my case)
> completely wide open. I have been trying to find a ACI to block
> access to the password value. Does anyone have any good resources on
> this or, better yet, an ACI I can apply?
AFAIK Apple has modified and patched openldap heavily and I don't know
anything about the Apple version. But if a slapd.conf is still
maintained by Apple, something like
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword
by self write
by dn.exact="cn=some administrator,dc=example,dc=com" read
by * auth
access to dn.subtree=dc=example,dc=com"
by dn.exact="cn=some administrator,dc=example,dc=com" write
by users read
by anonymous auth
gives a minimum of security. In the above configuration cn=some
administrator is not rootdn but a additional administration function.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E