[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mac OS X OpenLDAP allows anonymous access to all fields

To: openldap-technical@openldap.org
Subject: Re: Mac OS X OpenLDAP allows anonymous access to all fields
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Mon, 13 Dec 2010 21:52:46 +0100
In-reply-to: <20101213.102244.2118.0@webmail07.dca.untd.com>
Organization: AVCI
References: <20101213.102244.2118.0@webmail07.dca.untd.com>

Am Mon, 13 Dec 2010 16:22:44 GMT
schrieb "RAT" <robert3t@netzero.net>:

> I am experimenting with authenticating users off of OpenLDAP.  The
> default deployment from Apple seems to be (at least in my case)
> completely wide open.  I have been trying to find a ACI to block
> access to the password value.  Does anyone have any good resources on
> this or, better yet, an ACI I can apply? 

AFAIK Apple has modified and patched openldap heavily and I don't know
anything about the Apple version. But if a slapd.conf is still
maintained by Apple, something like

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword
      by self write
      by dn.exact="cn=some administrator,dc=example,dc=com" read
      by * auth
access to dn.subtree=dc=example,dc=com"
        by dn.exact="cn=some administrator,dc=example,dc=com" write
        by users read
        by anonymous auth

gives a minimum of security. In the above configuration cn=some
administrator is not rootdn but a additional administration function.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E

References:
- Mac OS X OpenLDAP allows anonymous access to all fields
  - From: "RAT" <robert3t@netzero.net>

Prev by Date: Re: backend issue
Next by Date: Re: backend issue
Index(es):
- Chronological
- Thread