[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - allowing a user to add a new attribute


That makes it much more clear.

Thank you.

Andrew Findlay wrote:
On Wed, Apr 14, 2010 at 04:00:26PM -0400, Matt Ingram wrote:

access to attrs=userPassword
by group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" write
     by dn.children="ou=Admins,dc=domain,dc=com" write
     by self write
     by * auth

trying to achieve write access for the ldappers group, children of the Admins ou and self. by self write should give a user the ability to change their password, correct ? Is there a better ACL for what I'm trying to achieve ?

You have indeed given those users the ability to change the password.
However, you have also given them the ability to *read* it (because
'write' includes 'read' in OpenLDAP ACLs). This is not usually necessary,
and even if the password is hashed it is good practice to prevent it
being read.

One comment I would make about your ACLs is that in several places you
are granting read access to userPassword. This is not usually
necessary nor is it a good idea. You need 'by * auth' access to permit
authentication, but only need to give '=w' access to those who need to
change passwords. Remember that the 'write' keyword includes read access.

If you replace 'write' with '=w' in the access statement above, you
will still give those users the ability to change the password but
they will not be able to read the existing password.


Matt Ingram
Intermediate Unix Administrator, IS
Canadian Bank Note Company, Limited