[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL double check, userpassword:{SASL} and simple binds

To: openldap-software@OpenLDAP.org
Subject: ACL double check, userpassword:{SASL} and simple binds
From: Turbo Fredriksson <turbo@bayour.com>
Date: 09 Mar 2001 21:40:41 +0100
Organization: LDAP/Kerberos expert wannabe
User-agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7

I need to support simple bind (I assume) because of older clients that
don't have  SASL binds (like pam_ldap.so).   But on the  other hand, I
don't want sensitive information  (like the password) being changeable
with a simple bind. I have this ACL:

----- s n i p -----
access to attr=userPassword
        by dn="[MY ADMIN DN]" write
        by dn="uid=[USERNAME]" read
        by ssf=112 auth
        by ssf=128 self write
        by anonymous auth
        by self write
        by * none
----- s n i p -----

Does the  'ssf' (I  found an  example of this  in the  archives, don't
understand it fully) limits the (write) access to the password? Also,
when I do this search

----- s n i p -----
ldapsearch -I -b 'dc=com' -H ldaps:/// -LLL \
'(&(uid=root)(objectclass=posixAccount))' userPassword
----- s n i p -----

I'll get this back (it's supposed to be '{SASL}root'):

----- s n i p -----
dn: uid=root,[MY USER DN]
userPassword:: e1NBU0x9cm9vdA==
----- s n i p -----

>From what I have  understood with the 'userPassword={SASL}root', slapd
will 'chaise' the password to the KDC. Is this correctly understood?


-- 
 Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
 ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

Prev by Date: Unicode/UTF-8 support
Next by Date: performance comparisions
Index(es):
- Chronological
- Thread