[Date Prev][Date Next]
Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
Your access control is wrong!!
----- Original Message -----
From: "Rudolf Nottrott, NCEAS" <email@example.com>
To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Cc: "Patrick Timmons" <firstname.lastname@example.org>; "Mike Coughlan"
Sent: Friday, October 13, 2000 11:44 PM
Subject: Re: Hiding userPassword and other attributes from
anonymousLDAPclients (such as Eudora)
> I do have an entry with a clear text passoword entry that looks like this.
> userPassword: test
> And yet, nothing is returned if I do
> ldapsearch -b searchbase "userpassword=test"
> If I do
> ldapsearch -b searchbase "userpassword=*"
> I get the entry, plus others.
> The entry is not returned if I do
> At 04:33 PM 10/13/00 -0700, Kurt D. Zeilenga wrote:
> >At 04:18 PM 10/13/00 -0700, Rudolf Nottrott, NCEAS wrote:
> >>I just tried this out, and I'm getting strange effects.
> >>I set up a test entry with user password "test".
> >>If I do
> >>ldapsearch -b searchbase "userpassword=*"
> >>then I get indeed all entries with a password (without actually seeing
> >>password in the returned entries).
> >Yes, you granted permission to search by userPassword.
> >>If I do
> >>ldapsearch -b searchbase "userpassword=test"
> >>I get nothing returned whatsoever.
> >>Now this it's even more confusing!
> >This implies none of the entries' userPassword value is "test".
> >You are asserting userPassword is "test", not password is "test".
> >That is, if userPassword is some value derived from "test"
> >(such as when hashed passwords are in use), then to get a match
> >you'd have to assert this derived value.