[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Assistance

To: openldap-software@openldap.org
Subject: Re: ACL Assistance
From: "Joshua M. Miller" <joshua@itsecureadmin.com>
Date: Tue, 15 May 2007 09:10:12 -0700
In-reply-to: <4649D2C9.9030406@itsecureadmin.com>
References: <4649D2C9.9030406@itsecureadmin.com>
User-agent: Thunderbird 2.0.0.0 (X11/20070326)

N/m, I figured it out.  I had mis-typed users:

access to attrs=userPassword
  by self write
  by anonymous auth
  by * none
access to *
  by self write
  by * read

Thanks,
--
Joshua M. Miller - RHCE,VCP

Joshua M. Miller wrote:

I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access  to attr=userPassword
        by self         write
        by anonymous    auth
        by *            none
access  to *
        by self         write
        by *            read
My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user).

The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong?

Thanks,

References:
- ACL Assistance
  - From: "Joshua M. Miller" <joshua@itsecureadmin.com>

Prev by Date: Re: chain-overlay question
Next by Date: Re: ldap ACLS with regex
Index(es):
- Chronological
- Thread