[Date Prev][Date Next]
Re: Can I do this with OpenLDAP acls?
Pierangelo Masarati wrote:
Pal, your ACLs are screwed wild. Anonymous can READ the password,
and everything else, but bound users have limited privileges!
Ouch. I didn't even realize I'd set things up that way until you
pointed it out. The ACLs are now as follows:
access to attr=userPassword
by self write
by * auth
access to *
by anonymous read
by self read
(in the second entry, the anonymous line is required for pam_ldap
and nss_ldap to work correctly).
cn=Manager,dc=justthe,dc=net is, as you correctly guessed, the
To answer your question, you may give read permission to "users",
I don't think that'll work. For any account where the masterAccount
attribute equals "sjsobol", for example, I should be able to get access
if I bind as uid=sjsobol,ou=users,dc=justthe,dc=net. If masterAccount=ando,
I should be able to get access if I bind as uid=ando, etc.
I'm going to go look at the FAQ again, though...
JustThe.net Internet & New Media Services, Apple Valley, CA PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003