Re: Can I do this with OpenLDAP acls?

[Steve Sobol <sjsobol@JustThe.net>]

Pierangelo Masarati wrote:
> Pal, your ACLs are screwed wild.  Anonymous can READ the password,
> and everything else, but bound users have limited privileges!

Ouch. I didn't even realize I'd set things up that way until you
pointed it out. The ACLs are now as follows:

access to attr=userPassword
        by self write
        by * auth

access to *
        by anonymous read
        by self read

(in the second entry, the anonymous line is required for pam_ldap
and nss_ldap to work correctly).

cn=Manager,dc=justthe,dc=net is, as you correctly guessed, the
rootdn.

> To answer your question, you may give read permission to "users",

I don't think that'll work. For any account where the masterAccount
attribute equals "sjsobol", for example, I should be able to get access
if I bind as uid=sjsobol,ou=users,dc=justthe,dc=net. If masterAccount=ando,
I should be able to get access if I bind as uid=ando, etc.

I'm going to go look at the FAQ again, though...


--
JustThe.net Internet & New Media Services, Apple Valley, CA   PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003