Re: access control puzzlement

["Alan Sparks" <asparks@nss.harris.com>]

I believe what you may be looking for is to create an access control rule
like:

access to attr=userpassword
 by self write
 by * compare

access to *
 by self write
 by * read

and add userpassword attributes to the various entries (like people entries,
for instance).  The "by self" clauses kick in when a client binds to a
specific DN (not the null DN as an anonymous connection does), and the
server uses the userpassword attribute as password.  The above ACLs allow
attribute changes only by the user who successfully bound to a specific DN.

The first rule is to make sure that people browsing the directory don't see
other's passwords.

-Alan

-----Original Message-----
From: Eric S. Johansson <esj@harvee.billerica.ma.us>
To: openldap-software@OpenLDAP.org <openldap-software@OpenLDAP.org>
Date: Tuesday, May 11, 1999 4:25 PM
Subject: access control puzzlement


>I'm trying to implement access controls for an LDAP database and I'm
>finding myself increasingly confused by the documentation.  I think I
>follow the pattern matching description but it's not clear to me how one
>specifies passwords to go along with matching dn's.
>
>If I'm reading the documentation correctly, once a request passes the
>"what" hurdle, passing the "who" hurdle can be a simple as coming from the
>right domain/address or supplying a dn.  I would expect a password or some
>other form of "shared secret" or authentication to go along with the dn.
>
>how far off base am I?  Any documentation in addition to the University of
>Michigan administrators guide would be greatly appreciated.
>
>--- eric
>
>Eric S Johansson esj@inguide.com   esj@harvee.billerica.ma.us
>This message was composed almost entirely by NaturallySpeaking.
>