[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mac OS X OpenLDAP allows anonymous access to all fields



Am Mon, 13 Dec 2010 16:22:44 GMT
schrieb "RAT" <robert3t@netzero.net>:

> I am experimenting with authenticating users off of OpenLDAP.  The
> default deployment from Apple seems to be (at least in my case)
> completely wide open.  I have been trying to find a ACI to block
> access to the password value.  Does anyone have any good resources on
> this or, better yet, an ACI I can apply? 

AFAIK Apple has modified and patched openldap heavily and I don't know
anything about the Apple version. But if a slapd.conf is still
maintained by Apple, something like

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword
      by self write
      by dn.exact="cn=some administrator,dc=example,dc=com" read
      by * auth
access to dn.subtree=dc=example,dc=com"
        by dn.exact="cn=some administrator,dc=example,dc=com" write
        by users read
        by anonymous auth

gives a minimum of security. In the above configuration cn=some
administrator is not rootdn but a additional administration function.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E