[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: stopping anonymous access to userPassword
- To: openldap-technical@openldap.org
- Subject: Re: stopping anonymous access to userPassword
- From: harry.jede@arcor.de
- Date: Thu, 10 Feb 2011 18:08:05 +0100
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1297357689; bh=l2OwfSjvUSxgQUZreGz2zPVQBKXea8GjfF389/zHkwU=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=fF8wEXWCS4o7rYoulJ/FC0G/1G0NipxvjjxSvbIE2jABm8ABusEEDG2oEWQQiWHa0 yXWqH8gHYzFQjuA2Mof1p7fyIQ8k2RjqvXV2et3zQUGkM4lJekyhW02HgKm6fw/DVm ibFwMs6d103Fi2yk5yDCxsqOL6S1hK+sfyV9yBz8=
- In-reply-to: <20110210.101414.22365.0@webmail21.dca.untd.com>
- References: <20110210.101414.22365.0@webmail21.dca.untd.com>
- User-agent: KMail/1.9.9
RAT wrote:
> I'm unaccustomed to the new (non-slapd.conf) way of adding ACL/ACI's.
>
> I'm trying exclude anonymous access to the password. We've tried
> this to no affect:
>
> olcAccess: to dn.base="cn=users,dc=lib-mac,dc=local" by * read
> olcAccess: to dn.base="cn=Subschema" by * read
> olcAccess: to attrs=userPassword
> by self write
> by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" read
> by * auth
> olcAccess: to dn.subtree=""
> by dn.exact="uid=diradmin,cn=users,dc=lib-mac,dc=local" write
> by users read
> by anonymous auth
The ACL for attrs=userPassword should be the first ACL. ACLs are
evaluated in order, read the man slapd.access
>
> Robert Threet
> http://yesistilluseperl.blogspot.com/
>
> ____________________________________________________________
> $65/Hr Job - 25 Openings
> Part-Time job ($20-$65/hr). Requirements: Home Internet Access
> http://thirdpartyoffers.netzero.net/TGL3231/4d540f18d12d722e5best03du
>c
--
Harry Jede
Kronprinzenstraße 151
44135 Dortmund
Germany
Tel +49 231 522376
Email harry.jede@arcor.de