Re: keeping userPassword as protected as possible

[John Morrissey <jwm@horde.net>]

On Tue, Jan 01, 2002 at 11:59:35AM -0500, charlie derr wrote:
% The following seems to work, but I have the feeling that there may be a
% more efficient (or perhaps more secure?) way to accomplish the same
% thing. 
% 
% access to attr=userPassword
%       by self write
%       by anonymous auth
%       by dn="cn=Manager,dc=ourdomain,dc=edu" write
%       by * compare
% access to *
%       by self write
%       by dn="cn=Manager,dc=ourdomain,dc=edu" write
%       by users read
%       by * read

I'm not sure if you're saying that you want to give users *only* the right
to change their password; in that case, you want to take out the "by self
write" clause in your second ACL. Also, you don't have to give your root DN
(specified by the rootdn directive) write access to everything; no ACLs
apply to the root DN.

Also, if you don't have any applications that use ldap_compare() to compare
the user's password (if all your applications rebind as the user to check
auth), you can get rid of the "by * compare" clause too.

So depending on the above conditions, you could probably make do with:

defaultaccess read
access to attr=userPassword
      by self write
      by anonymous auth

john
-- 
John Morrissey          _o            /\         ----  __o
jwm@horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__