[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userpassword permissions

To: man@mentata.com
Subject: Re: userpassword permissions
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 15 Mar 2005 13:17:36 -0800
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <42373314.5070604@jonanddeb.net>
References: <42373314.5070604@jonanddeb.net>

I would guess that you have some other access controls in
your slapd.conf(5) file, or that you didn't restart the
server after modifying your slapd.conf(5) file, or your
slapd.conf(5) file is malformed in some way.

Kurt

At 11:10 AM 3/15/2005, Jon Roberts wrote:
>This was just discussed, I know.
>
>OpenLDAP 2.2.23, BDB 4.2.52, FC3
>
>Acls in slapd.conf:
>
>access to attr=userPassword
>    by self write
>    by anonymous auth
>    by * none
>access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com"
>    by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write
>    by * read
>access to *
>    by * read
>
>I get:
>
>% ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)'
>
># extended LDIF
>#
># LDAPv3
># base <ou=People,o=mentata.com> with scope sub
># filter: (uid=*)
># requesting: ALL
>#
>
># annie, Generic, People, mentata.com
>dn: uid=annie,ou=Generic,ou=People,o=mentata.com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>userPassword:: bm9ubmll
>uid: annie
>givenName: Annie
>sn: Nonnie
>cn: Annie Nonnie
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>
>Why is the (base64-encoded) password visible on an anonymous search with these access control rules?
>
>Jon Roberts
>www.mentata.com

Follow-Ups:
- Re: userpassword permissions
  - From: Jon Roberts <jon@jonanddeb.net>

References:
- userpassword permissions
  - From: Jon Roberts <jon@jonanddeb.net>

Prev by Date: Re: ASN1 - syncInfoValue
Next by Date: Re: Object Class violation
Index(es):
- Chronological
- Thread