[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: entry modify failed while trying to change user password

>>> access to *
>>>         by * read
>>> access to attrs=userPassword
>>>         by self write
>>>         by * auth
>> This looks correct.
> Actually, I have a question about this.  Since access to * by * read comes
> first, won't the second ACL never be evaluated?  My understanding of
> OpenLDAP ACL's is they stop at the first matching ACL that gives any sort
> of access (unless there is a by * break in there).   And besides, isn't
> this ACL particularly insecure, in that it would allow anyone to read
> anyone elses password?  I would expect that these two ACL's should be
> reversed.

Gotcha.  Sorry for the wrong indication.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497