[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ssf Security Question
--On Tuesday, November 14, 2017 8:56 PM +0000 Kaya Saman
<kayasaman@gmail.com> wrote:
access to *
by ssf=128 self write
by ssf=128 anonymous auth
by ssf=128 users read
# Added ACL for open access to AddressBook in Read and Search only mode
access to dn.children="ou=AddressBook,dc=domain,dc=com"
by * search
by * read
Your second ACL will never be evaluated, since the first ACL matches
everything. As noted in the slapd.access(5) man page, ACL processing stops
on the first matching ACL.
In addition, in your second ACL, the "by * read" will never be processed,
because of the match to "by * search". If you're already planning on
granting read, there is no point to having by * search there at all.
I.e., your ACLs should be:
access to dn.children="ou=AddressBook,dc=domain,dc=com"
by * read
access to *
by ssf=128 self write
by ssf=128 anonymous auth
by ssf=128 users read
And I generally doubt you want to give users read to "*", as this means
they can read the userPassword values of other users, etc.
You might want something more like:
access to dn.children="ou=AddressBook,dc=domain,dc=com"
by * read
access to attrs=userPassword
by ssf=128 anonymous auth
by ssf=128 self write
access to *
by ssf=128 self write
by ssf=128 users read
And yes, you have to remove the global SSF setting if the phone cannot
support startTLS on port 389.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>