[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hiding userPassword and other attributes from anonymous LDAPclients (such as Eudora)

To: Patrick Timmons <ptimmons@courriel.polymtl.ca>
Subject: Re: Hiding userPassword and other attributes from anonymous LDAPclients (such as Eudora)
From: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>
Date: Fri, 13 Oct 2000 08:37:41 -0700
Cc: "Mike Coughlan" <mcoughlan@gothambroadband.com>, OpenLDAP-Software <openldap-software@OpenLDAP.org>, nottrott@ulysses.nceas.ucsb.edu
In-reply-to: <39E71AEC.27D2537D@courriel.polymtl.ca>
References: <3.0.3.32.20001012143132.009b4a30@nceas.nceas.ucsb.edu>

Thanks Patrick, for your examples.  

I did a lot of experimenting yesterday and found that the following works
for hiding the password, although I still don't really understand how:

defaultaccess read
access to attr=userPassword
    by * search

access to * by self write

Taken as plain English, "access to attr=userPassword" suggests the opposite
of hiding to me, but it hides the password alright.

Still looking for something like a tutorial on this, or at least some
better explanation than the slapd config manual at
http://www.openldap.org/devel/admin/slapdconfig.html provides.

Thanks, 

Rudolf
 
At 10:23 AM 10/13/00 -0400, you wrote:
>Here's how you can do this:
>
>defaultaccess          read
>access to attrs=userpassword
>   by self             write
>   by *                none
>
>That's for openldap v 1.2.x
>
>could be 
>
>defaultaccess          read
>access to attrs=userpassword
>   by self             write
>   by *                auth
>
>for openldap v 2.x. I'm not sure. I'm not using it yet. If you do not want
the
>users to be able to change their password, change the write for a read.
>
>P.Timmons
>
>"Rudolf Nottrott, NCEAS" wrote:
>> 
>> Hello,
>> 
>> I'm just getting into LDAP access control and I apologize if the answer to
>> my question is obvious to most of you.
>> 
>> I am trying to prevent anonymous LDAP client programs, such as Eudora, from
>> seeing certain attributes.  (Most importantly I don't want the userPassword
>> attribute to be seen.)  I'm guessing that this is done with the
>> defaultaccess control in slapd.conf, but haven't found any simple
>> explanation of the details of defaultaccess usage.
>> 
>> Can defaultaccess be used to hide certain attributes from anonymous client
>> such as Eudora?  If not, how can it be done?
>> 
>> Could you point me to a good explanation of the workings of
>> 'defaultaccess', perhaps a tutorial of some kind?
>> 
>> Thanks for your help.
>> 
>> Rudolf Nottrott
>> UCSB Santa Barbara
>
>-- 
>Patrick Timmons, service informatique
>

Follow-Ups:
- Re: Hiding userPassword and other attributes from anonymous LDAPclients (such as Eudora)
  - From: German Poo Caaman~o <gpoo@ubiobio.cl>
- Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
  - From: Patrick Timmons <ptimmons@courriel.polymtl.ca>

References:
- Hiding userPassword and other attributes from anonymous LDAP clients (such as Eudora)
  - From: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>

Prev by Date: Re: Replicating servers?
Next by Date: Re: Hiding userPassword and other attributes from anonymous LDAPclients (such as Eudora)
Index(es):
- Chronological
- Thread