[Date Prev][Date Next]
Re: Restrict access to userPassword
On Tuesday 05 April 2005 09:11, Johan A. wrote:
> I hope I'm on the right list now. but I have 2 computers with Fedora Core 3
> and the accompanying OpenLDAP tools. One of them is server and the other
> one is a client. I would like to set up the server so that users can use it
> to log in to the client but not see userPassword if they issue an
> ldapsearch. I've tried to accomplish this by inserting the following access
> statements in my slapd.conf:
> # rootdn can always read and write EVERYTHING!
> #access to attr=userPassword
> # by dn="cn=Manager,dc=testldap,dc=com" write
> # by self write
> # by anonymous auth
> # by * compare
You did not tell which version of OpenLDAP you use.
According to OpenLDAP 2.2's slapd.access man page the key word for attributes
* "by self write" allows the users to see their own password too.
To prevent this use "by self =wx"
* "by * compare" allows anybody to compare anybody else's password
with a given string. This may allow mailicous users to find out other