Re: entry modify failed while trying to change user password

["Pierangelo Masarati" <ando@sys-net.it>]

>>> access to *
>>>         by * read
>>> access to attrs=userPassword
>>>         by self write
>>>         by * auth
>>
>> This looks correct.
>
> Actually, I have a question about this.  Since access to * by * read comes
> first, won't the second ACL never be evaluated?  My understanding of
> OpenLDAP ACL's is they stop at the first matching ACL that gives any sort
> of access (unless there is a by * break in there).   And besides, isn't
> this ACL particularly insecure, in that it would allow anyone to read
> anyone elses password?  I would expect that these two ACL's should be
> reversed.

Gotcha.  Sorry for the wrong indication.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497