Re: help with ACLs

[Denis Sacchet <ouba@ouba.org>]

> I'm trying to figure out what my ACL should be in slapd.conf.  What I 
> want is that a user can change his/her password, but they won't be able 
> to read any other user's password.  Right now what I have is not 
> restrictive enough.  I've read the OpenLDAP admin guide on ACLs but it 
> was not clear to me what I should use.  What I have currently is below.  
> What do I need to change it to to have the results I want?
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>        by self write
>        by anonymous auth
>        by * read
>        by * none

As you put "by * read" anyone can read the three specified attribute, 
delete this line, and anonymous use will be able to authenticate, the 
node will be able to modified itself, and all other kind of users will 
have a denied access


> access to *
>        by * read

With this place after, all the directory will be visible by everybody 
(including anonymous one), perhaps it should be better to put here "by 
user read" but it just a "supposition" as I don't know what do you want 
to do with your directory.

Best regards

Denis Sacchet

--
Denis Sacchet aka. Ouba                     ("`-/")_.-'"``-._
                                             . . `; -._    )-;-,_`)
"Computers are like air conditionners       (v_,)'  _  )`-.\  ``-'
They stop working properly when you        _.- _..-_/ / ((.'
open Windows !!!"                        ((,.-'   ((,/