[Date Prev][Date Next]
Re: ACLs - allowing a user to add a new attribute
That makes it much more clear.
Andrew Findlay wrote:
On Wed, Apr 14, 2010 at 04:00:26PM -0400, Matt Ingram wrote:
access to attrs=userPassword
by dn.children="ou=Admins,dc=domain,dc=com" write
by self write
by * auth
trying to achieve write access for the ldappers group, children of the
Admins ou and self. by self write should give a user the ability to change
their password, correct ? Is there a better ACL for what I'm trying to
You have indeed given those users the ability to change the password.
However, you have also given them the ability to *read* it (because
'write' includes 'read' in OpenLDAP ACLs). This is not usually necessary,
and even if the password is hashed it is good practice to prevent it
One comment I would make about your ACLs is that in several places you
are granting read access to userPassword. This is not usually
necessary nor is it a good idea. You need 'by * auth' access to permit
authentication, but only need to give '=w' access to those who need to
change passwords. Remember that the 'write' keyword includes read access.
If you replace 'write' with '=w' in the access statement above, you
will still give those users the ability to change the password but
they will not be able to read the existing password.
Intermediate Unix Administrator, IS
Canadian Bank Note Company, Limited