[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Access Control does not work as expected

Today at 2:03pm, Martin Konold wrote:

> Hi,
> I am putting the following as the first entry in slapd.conf:
> access to attr=userPassword
>         by group="cn=admin,base_dn" write
>         by group="cn=maintainer,base_dn" write
>         by self write
>         by anonymous auth
>         by * none stop
> To my surprise the admin and maintainer users are able to _read_ the
> userPassword attribute. I expect that users are able to authenticate and to
> set the password but nobody is allowed to read the password.

Why did it surprise you?  You did read the slapd.access man page and the
administrators guide before you started didn't you?  They both tell you
that all accesses include lower level accesses, therefore write includes
read, auth, search, and compare.

Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
        === God bless all inhabitants of your planet ===