Re: protected entry

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Wed, Jun 29, 2011 at 10:09:54PM -0300, Friedrich Locke wrote:

> To which objectclass should the entry belongs to ?

Any class that permits the attribute types that you need.  A common choice
is inetOrgPerson, but for non-person accounts it is more appropriate
to use other classes such as account or organizationalRole - often in
combination with the simpleSecurityObject auxiliary class to permit the
use of userPassword.

dn: uid=u1,dc=people,dc=example,dc=org
objectclass: account
objectclass: simpleSecurityObject
description: A User
uid: u1
userPassword: secret

Note that it is generally best to hash the userPassword value
with SSHA.

> What about access rules ?

It is normal to prevent everyone from reading passwords -
including their own. You need to allow anon to have 'auth'
access to the userPassword attribute.

Here is a minimal example:

################################################################
# Users may change their own passwords
# Users may read everything except passwords
# Anon may read everything except passwords

access to attrs="userPassword"
        by self =w
        by * auth

access to * by * read

################################################################



Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------