[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can I do this with OpenLDAP acls?

Pierangelo Masarati wrote:
Pal, your ACLs are screwed wild.  Anonymous can READ the password,
and everything else, but bound users have limited privileges!

Ouch. I didn't even realize I'd set things up that way until you pointed it out. The ACLs are now as follows:

access to attr=userPassword
        by self write
        by * auth

access to *
        by anonymous read
        by self read

(in the second entry, the anonymous line is required for pam_ldap
and nss_ldap to work correctly).

cn=Manager,dc=justthe,dc=net is, as you correctly guessed, the

To answer your question, you may give read permission to "users",

I don't think that'll work. For any account where the masterAccount attribute equals "sjsobol", for example, I should be able to get access if I bind as uid=sjsobol,ou=users,dc=justthe,dc=net. If masterAccount=ando, I should be able to get access if I bind as uid=ando, etc.

I'm going to go look at the FAQ again, though...

-- JustThe.net Internet & New Media Services, Apple Valley, CA PGP: 0xE3AE35ED Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net "someone once called me a sofa, but i didn't feel compelled to rush out and buy slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003