[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Access Control does not work as expected

To: <martin.konold@erfrakon.de>
Subject: Re: Password Access Control does not work as expected
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 27 Apr 2004 14:43:18 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200404271403.35864.martin.konold@erfrakon.de>
References: <200404271403.35864.martin.konold@erfrakon.de>

>
> Hi,
>
> I am putting the following as the first entry in slapd.conf:
>
> access to attr=userPassword
>         by group="cn=admin,base_dn" write
>         by group="cn=maintainer,base_dn" write
>         by self write
>         by anonymous auth
>         by * none stop
>
> To my surprise the admin and maintainer users are able to _read_ the
> userPassword attribute. I expect that users are able to authenticate and
> to  set the password but nobody is allowed to read the password.
>
> (Tested with multiple versions of OpenLDAP incl. 2.1.12)
>
> Is this a known issue?

yes, it's called RTMF in general, and ACL "level" in detail; a "level"
implies all the "level"s below, and it's been like this (and thoroughly
documented) since UMich's ldap-3.3 (the first one I happened to use ages
ago).  What you want to do is perfectly documented as well in
slapd.access(5), and it's called "privilege"; a "privilege" is a specific
access mode, which can be set to <write-privilege> and <auth-privilege>
only.  See slapd.access(5) for details on how to use privileges instead of
levels.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Password Access Control does not work as expected
  - From: Martin Konold <martin.konold@erfrakon.de>

Prev by Date: Re: Password Access Control does not work as expected
Next by Date: Re: Password Access Control does not work as expected
Index(es):
- Chronological
- Thread