[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: RFC [Samba/NIS + LDAP]

Title: RE: RFC [Samba/NIS + LDAP]

-----Original Message-----
From: Erik Persson [mailto:erik@roxen.com]
Sent: Monday, November 12, 2001 2:10 PM
To: openldap-software@OpenLDAP.org
Subject: Re: RFC [Samba/NIS + LDAP]


* Pitfalls... Access control is fundamental, especially for the Windows
  password hashes. You don't want these hashes to get sniffed from the
  network either so use LDAPS (LDAP with SSL/TLS) whenever possible. By
  the way: Can you set an ACL that allows a user to fetch an attribute
  when using an SSL connection but not otherwise? Also, if you use Samba
  and have any kind of debugging enabled the same hashes wind up in Sambas
  log file.

access to dn="ou=People,dc=blech,dc=foo" attr=userPassword
        by self ssf=128 write
        by self peername="127\.0\.0\.1"
        by anonymous auth
        by * none

will only allow an authenticated user to change his password either over an SSL link or from localhost.