[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3446) ACL val clause ineffective with bind

> access to attr=userpassword val.regex=^[{]SMD5[}].*
>         by * none
> Rerun ldapsearch as above. The read is prohibited, but the bind is not.
> dn: cn=md5,o=University of Michigan,c=US
> is output. I would expect "Invalid credentials." I'd claim this to be an
> processing bug.

In fact, back-bdb (as other storage backends do) doesn't pass the value f
the password attribute to the access checking utility.  I'd guess it's
intended, although I do not recall the reason.

I guess what you intend to do is to allow bind based on some hash
mechanism only.  I think this possibility should be considered, maybe
through a different mechanism

Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497