[Date Prev][Date Next] [Chronological] [Thread] [Top]


--On Friday, March 14, 2003 5:28 PM +0100 Francois Beretti <francois.beretti@enatel.com> wrote:

Le ven 14/03/2003 à 17:17, Quanah Gibson-Mount a écrit :
> I have to add "by anonymous search" in the third ACL to get it working
> And after that I can comment the first ACL without effect

Yup.  If you want, and can figure out exactly what it information it is
wanting to look at, you can restrict this even more.  For us, any
incoming  connection needs access to the krb5PrincipalName attribute
(since we are  doing GSSAPI authentication for our applications), so I
have the line:

access to attr=krb5PrincipalName,member
        by * search

ok, but I believe that the information accessed by DIGEST-MD5 mechanism is the userPassword attribute, so I don't want it to be world readable :)

Am I wrong ?

I would say that is correct. :) by * search does not give read access, so it isn't world readable if you grant search access. There is a helpful explanation of the differing levels of permissions in the OpenLDAP administrator's guide. See the section about Access Control, specifically Table 5.4.


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html