[Date Prev][Date Next] [Chronological] [Thread] [Top]


Title: ldapcompare

Taking a hint from the TODO list, I ended up hacking out parts of ldapsearch and creating ldapcompare.
I can submit it, but I have a question first.

I have an access rule setup in slapd.conf so that users can't see the userPassword attribute unless they are authenticated and they are over an encrypted channel (or on localhost):

access to dn="ou=People,dc=f5,dc=com" attr=userPassword
        by self ssf=128 write
        by self peername="IP=127\.0\.0\.1" write
        by anonymous auth
        by * none

So I did a compare:
ldapcompare -D "uid=costlow,ou=People,dc=f5,dc=com" -W -x "uid=costlow,ou=People,dc=f5,dc=com" userPassword "{CRYPT}$1$asdfj$laksjdlfja"


The above is correct, from localhost I authenticated and then was allowed to compare the userpassword value that was stored.

But when I did this:
ldapcompare "uid=costlow,ou=People,dc=f5,dc=com" userPassword "{CRYPT}$1$asdfj$laksjdlfja"

(I even did this on a host that wasn't localhost without using -ZZ)
Seems to me like the compare in this case should not work, because I wasn't authenticated.  Shouldn't that 'by * none' that's in there mean that I can't even do a compare?  At least the 'by anonymous auth'?  Maybe I am misunderstanding how the access rules work.