[Date Prev][Date Next] [Chronological] [Thread] [Top]

userpassword permissions

This was just discussed, I know.

OpenLDAP 2.2.23, BDB 4.2.52, FC3

Acls in slapd.conf:

access to attr=userPassword
    by self write
    by anonymous auth
    by * none
access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com"
    by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write
    by * read
access to *
    by * read

I get:

% ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)'

# extended LDIF
#
# LDAPv3
# base <ou=People,o=mentata.com> with scope sub
# filter: (uid=*)
# requesting: ALL
#

# annie, Generic, People, mentata.com
dn: uid=annie,ou=Generic,ou=People,o=mentata.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword:: bm9ubmll
uid: annie
givenName: Annie
sn: Nonnie
cn: Annie Nonnie

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Why is the (base64-encoded) password visible on an anonymous search with these access control rules?

Jon Roberts
www.mentata.com