[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OPEN LDAP ACL

To: Olivier - <piwako@outlook.fr>, Florent Vallée <florent.vallee@insa-cvl.fr>, openldap-technical <openldap-technical@openldap.org>
Subject: RE: OPEN LDAP ACL
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Tue, 21 May 2019 23:37:09 -0700
Content-disposition: inline
In-reply-to: <91B3795CAC9A359C93284D9B@[192.168.1.39]>
References: <1566955836.133593.1558343149906.JavaMail.zimbra@insa-cvl.fr> <AM0PR0102MB307506D64B68DCCEB2C38337A2070@AM0PR0102MB3075.eurprd01.prod.exchangelabs.com> <91B3795CAC9A359C93284D9B@[192.168.1.39]>

--On Tuesday, May 21, 2019 3:41 PM -0700 Quanah Gibson-Mount<quanah@symas.com> wrote:

Here an example :



access to attrs=userPassword

by dn.exact="cn=admin,dc=example,dc=fr" write

by users auth

by anonymous auth

by * none


That should be "by users read", not "by users auth" as per their stated
requirements.  I would note that this ACL would be problematic in a
replicated environment unless the "cn=admin,dc=example,dc=fr" DN is also
used for replication.

Additionally, I'm guessing what is really desired is "by self read" ratherthan "by users read", as the latter would allow any authenticated DN toread the userPassword value of any entry in the DB.


--Quanah




--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- OPEN LDAP ACL
  - From: Florent Vallée <florent.vallee@insa-cvl.fr>
- RE: OPEN LDAP ACL
  - From: Olivier - <piwako@outlook.fr>
- RE: OPEN LDAP ACL
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Help need with replication
Next by Date: Antw: Re: Help need with replication
Index(es):
- Chronological
- Thread