[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userpassword permissions



On Tue, 2005-03-15 at 14:10, Jon Roberts wrote:
> This was just discussed, I know.
> 
> OpenLDAP 2.2.23, BDB 4.2.52, FC3
> 
> Acls in slapd.conf:
> 
> access to attr=userPassword
>      by self write
>      by anonymous auth
>      by * none

This is the correct syntax. The last line is implicit and not necessary.

Have you tried to restart slapd and perform your anonymous ldapsearch
again?

What happens if you:
- remove the lines 'by self write' and 'by anonymous auth',
- restart slapd
- and perform your anonymous ldapsearch?


> access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com"
>      by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write
>      by * read
> access to *
>      by * read
> 
> I get:
> 
> % ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)'
> 
> # extended LDIF
> #
> # LDAPv3
> # base <ou=People,o=mentata.com> with scope sub
> # filter: (uid=*)
> # requesting: ALL
> #
> 
> # annie, Generic, People, mentata.com
> dn: uid=annie,ou=Generic,ou=People,o=mentata.com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> userPassword:: bm9ubmll
> uid: annie
> givenName: Annie
> sn: Nonnie
> cn: Annie Nonnie
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> Why is the (base64-encoded) password visible on an anonymous search with 
> these access control rules?
> 

Attachment: signature.asc
Description: This is a digitally signed message part