[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl's and the userpassword field

At 11:22 AM 10/22/99 -0400, Seth Vidal wrote:
>I'm trying restrict searches so that the userpassword entry is not
>readable by users who are not self or rootdn
>here are my acl's
>defaultaccess   read
>access  to dn=".*, dc=phy,dc=duke,dc=edu"  attr=userpassword

That space will cause this access directive to never be applicable.
Remove it.

>        by self         write
>        by dn="cn=managaer, dc=phy,dc=duke,dc=edu" write

Likewise with this by clause.  Also, check spelling of 'managaer'.

>        by *            compare

>does this make any sense?

After fixing the above errors, I suggest:
	1) using a defaultaccess none directive
	2) disallowing compare of userpassword to all

>it seemed consistent - I've toggled the by * compare to none but no luck

compare effects LDAP compare operations, not LDAP bind operations.
I generally recommend something like:

access to attr=userPassword
	by self write
	by dn="cn=manager,dc=sld,dc=tld"
	by * none

Kurt D. Zeilenga <Kurt@OpenLDAP.org>
OpenLDAP Project <http://www.OpenLDAP.org/>