[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control puzzlement

On Tue, 11 May 1999, Eric S. Johansson wrote:
> for example: if a client binds to dn: ou=Garnet,ou=jewelry,ou=store, the
> expectation is that Garnet is a node with the attribute userpassword and
> that password is used as part of the authentication for
> changing/reading/comparing attributes in that dn.  Correct?

That's right on.

> >The first rule is to make sure that people browsing the directory don't see
> >other's passwords.
> that's a good thing to point out.  It's obvious to anyone with any security
> experience but it's not obvious to all.

And not particularly obvious until you notice it in a search result, and
suddenly realize that userpassword is just an attribute, like any one
else  Just happens to be pretty confidential stuff.