I think "attr=userPassword" would be a search filter. "attrs=userPassword" would be an attribute list. Try adding the 's', and maybe that'll work, -Matt On Tue, 2005-03-15 at 13:10 -0600, Jon Roberts wrote: > This was just discussed, I know. > > OpenLDAP 2.2.23, BDB 4.2.52, FC3 > > Acls in slapd.conf: > > access to attr=userPassword > by self write > by anonymous auth > by * none > access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com" > by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write > by * read > access to * > by * read > > I get: > > % ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)' > > # extended LDIF > # > # LDAPv3 > # base <ou=People,o=mentata.com> with scope sub > # filter: (uid=*) > # requesting: ALL > # > > # annie, Generic, People, mentata.com > dn: uid=annie,ou=Generic,ou=People,o=mentata.com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > userPassword:: bm9ubmll > uid: annie > givenName: Annie > sn: Nonnie > cn: Annie Nonnie > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Why is the (base64-encoded) password visible on an anonymous search with > these access control rules? > > Jon Roberts > www.mentata.com Matthew J. Smith University of Connecticut ITS This message sent at Tue Mar 15 14:58:45 2005 PGP Key: http://web.uconn.edu/dotmatt/matt.asc
Attachment:
signature.asc
Description: This is a digitally signed message part