[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5195) ssf not available during sasl bind

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5195) ssf not available during sasl bind
From: quanah@zimbra.com
Date: Sat, 27 Oct 2007 03:10:32 GMT

--On Saturday, October 27, 2007 3:00 AM +0000 quanah@zimbra.com wrote:

> access to userPassword
> 	by users read sasl_ssf=128 break
> 	by users read tls=128

Replace users by self, sorry.  Obviously you don't want any user to read 
it. ;)  Although hm, anonymous need access at least for auth, so:

access to userPassword
	by anonymous auth
	by self read sasl_ssf=128 break
	by self read tls=128

Note that in the anonymous access case, the user password is never 
transmitted from the server end, in any case.

You could do a similar requirement as above, something like:

access to userPassword
	by anonymous auth sasl_ssf=128 break
	by anonymous auth tls=128
	by self read

(At this point, you've forced any user to be encrypted, so no need to 
duplicate the requirements on the read access).

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Prev by Date: Re: (ITS#5195) ssf not available during sasl bind
Next by Date: Re: (ITS#5195) ssf not available during sasl bind
Index(es):
- Chronological
- Thread