[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restrict access to userPassword


On Tuesday 05 April 2005 09:11, Johan A. wrote:
> I hope I'm on the right list now. but I have 2 computers with Fedora Core 3
> and the accompanying OpenLDAP tools. One of them is server and the other
> one is a client. I would like to set up the server so that users can use it
> to log in to the client but not see userPassword if they issue an
> ldapsearch. I've tried to accomplish this by inserting the following access
> statements in my slapd.conf:
> # rootdn can always read and write EVERYTHING!
> #access to attr=userPassword
> #       by dn="cn=Manager,dc=testldap,dc=com" write
> #       by self write
> #       by anonymous auth
> #       by * compare

You did not tell which version of OpenLDAP you use.
According to OpenLDAP 2.2's slapd.access man page the key word for attributes
is "attrs".

Please note:
* "by self write" allows the users to see their own password too.
   To prevent this use "by self =wx"
* "by * compare" allows anybody to compare anybody else's password
   with a given string. This may allow mailicous users to find out other
    user's passwords.

Peter Marschall
eMail: peter@adpm.de