[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)

To: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>
Subject: Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
From: Patrick Timmons <ptimmons@courriel.polymtl.ca>
Date: Fri, 13 Oct 2000 18:47:14 -0400
Cc: Mike Coughlan <mcoughlan@gothambroadband.com>, OpenLDAP-Software <openldap-software@OpenLDAP.org>, nottrott@ulysses.nceas.ucsb.edu
Organization: Ecole Polytechnique de Montreal
References: <3.0.3.32.20001012143132.009b4a30@nceas.nceas.ucsb.edu> <3.0.3.32.20001013083741.009d3830@nceas.nceas.ucsb.edu>

Hi again.

I think there is a problem in having an acl that allows to search on the
userpassword field especialy if the users can modify their password. You could
do a search like

    ldapsearch "userpassword=master" 
or  ldapsearch "userpassword=god"

and get the DN of all users with that password. Then you could login as them and
have access to private data.

Am I right ?

"Rudolf Nottrott, NCEAS" wrote:
> 
> Thanks Patrick, for your examples.
> 
> I did a lot of experimenting yesterday and found that the following works
> for hiding the password, although I still don't really understand how:
> 
> defaultaccess read
> access to attr=userPassword
>     by * search
> 
> access to * by self write
> 
> Taken as plain English, "access to attr=userPassword" suggests the opposite
> of hiding to me, but it hides the password alright.
> 
> Still looking for something like a tutorial on this, or at least some
> better explanation than the slapd config manual at
> http://www.openldap.org/devel/admin/slapdconfig.html provides.
> 
> Thanks,
> 
> Rudolf
> 
> At 10:23 AM 10/13/00 -0400, you wrote:
> >Here's how you can do this:
> >
> >defaultaccess          read
> >access to attrs=userpassword
> >   by self             write
> >   by *                none
> >
> >That's for openldap v 1.2.x
> >
> >could be
> >
> >defaultaccess          read
> >access to attrs=userpassword
> >   by self             write
> >   by *                auth
> >
> >for openldap v 2.x. I'm not sure. I'm not using it yet. If you do not want
> the
> >users to be able to change their password, change the write for a read.
> >
> >P.Timmons
> >
> >"Rudolf Nottrott, NCEAS" wrote:
> >>
> >> Hello,
> >>
> >> I'm just getting into LDAP access control and I apologize if the answer to
> >> my question is obvious to most of you.
> >>
> >> I am trying to prevent anonymous LDAP client programs, such as Eudora, from
> >> seeing certain attributes.  (Most importantly I don't want the userPassword
> >> attribute to be seen.)  I'm guessing that this is done with the
> >> defaultaccess control in slapd.conf, but haven't found any simple
> >> explanation of the details of defaultaccess usage.
> >>
> >> Can defaultaccess be used to hide certain attributes from anonymous client
> >> such as Eudora?  If not, how can it be done?
> >>
> >> Could you point me to a good explanation of the workings of
> >> 'defaultaccess', perhaps a tutorial of some kind?
> >>
> >> Thanks for your help.
> >>
> >> Rudolf Nottrott
> >> UCSB Santa Barbara
> >
> >--
> >Patrick Timmons, service informatique
> >

-- 
Patrick Timmons, service informatique

Follow-Ups:
- Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
  - From: "Jim Hud" <jdhz@btinternet.com>
- Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
  - From: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>

References:
- Hiding userPassword and other attributes from anonymous LDAP clients (such as Eudora)
  - From: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>
- Re: Hiding userPassword and other attributes from anonymous LDAPclients (such as Eudora)
  - From: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>

Prev by Date: Problems with OpenLDAP 2.0.1 ...
Next by Date: Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
Index(es):
- Chronological
- Thread