[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Rights in SLAPD.CONF

How does the server know where to get the userid/pass to authenticate against?
Is there a specific schema that needs to be adhered to?

Keith Keller wrote:

> On 30 Apr, David J N Begley wrote:
> > What's actually the purpose of "by * compare"?  I mean, I'm using:
> >
> >   defaultaccess  read
> >   access         to attr=userpassword
> >                  by self write
> >                  by * none
> >
> > and authenticated binds to the directory still work without any problems.
> This is just a guess, but since authentication is done in order,
> if a user binds (or attempts to bind) as him/herself, then s/he
> falls under the "by self" scheme, and thus can bind successfully.
> It seems like a vicious circle, since to gain access to the
> userpassword, the user needs to authenticate, but in order to
> authenticate, the user needs access to the userpassword.  Presumably
> (?) the server knows to do a compare only until the compare actually
> matches, then knows to bind as that user and allow access to
> the userpassword.  But that's all pure speculation.
> > Unfortunately the UMich SLAPD Admin guide isn't too clear on distinguishing
> > the differences between "none", "compare", "search", "read" and "write"
> > (beyond the bleedin' obvious which no doubt leaves everything open to
> > interpretation - not good for ACLs).
> Dunno.  I feel like the definitions are clear enough, but not
> separate enough.  For example, giving "write" also gives "read",
> which gives "search", which gives "compare".  What if I want
> my users *only* to write and compare, not read?  This makes
> lots of sense with passwords, where you wouldn't want your users
> to be able to display their password on screen, but you still
> want them to be able to change passwords.
> On a side note, are there any plans for encrypted password
> support in OpenLDAP?  I feel this is important for the sanity
> of the end users--if their password is stored as plain text,
> then an administrator can go read it and then do evil things
> in their name.  Granted, the admin can change the password
> and do evil things anyway, but then at least theoretically
> there's some sort of record that there was a password change.
> And again, the current configuration does not allow passwords
> to be write-only, so giving an admin write (which s/he must
> have) also gives read to the userpassword (which s/he should
> not have).
> -- Keith
> kkeller@dspeed.net