[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can I do this with OpenLDAP acls?



ons, 14.04.2004 kl. 18.14 skrev Steve Sobol:

[...]

> access to attr=userPassword
>          by self write
>          by * auth
> 
> access to *
>          by anonymous read
>          by self read
> 
> (in the second entry, the anonymous line is required for pam_ldap
> and nss_ldap to work correctly).

This is not actually so. The only attributes pam_ldap/nss_ldap need are
those typically present in getent passwd and getent group:

Apr 15 12:38:24 billy slapd[6777]: conn=24 op=5 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass

plus maybe a couple of others: uid, cn, memberUid, uniqueMember etc.,
depending on your setup.

There are many cases in which unprivileged (not necessarily but often
bound) entities should can be configured not to be able to read details
- think of homeTelephoneNumber, homeAddress, mobile etc. So "access to *
by * would never do in my ACLs ;)

--Tonni

-- 

Kattekots op de vloer
na de moeë thuiskomst,
weinig walg verwekt.
Getrouw als kind
de kat heet welkom,
wellicht nog knabbels krijgt.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl