I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access to attr=userPassword by self write by anonymous auth by * none access to * by self write by * read
My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user).
The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong?
Thanks,
N/m, I figured it out. I had mis-typed users:
access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by * read
Thanks, -- Joshua M. Miller - RHCE,VCP
Joshua M. Miller wrote:
I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access to attr=userPassword by self write by anonymous auth by * none access to * by self write by * read
My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user).
The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong?
Thanks,
On 5/15/07, Joshua M. Miller joshua@itsecureadmin.com wrote:
I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access to attr=userPassword
Shouldn't this be "access to attrs=userPassword" ?
Matt
TechnoSophos escreveu:
On 5/15/07, Joshua M. Miller joshua@itsecureadmin.com wrote:
I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access to attr=userPassword
Shouldn't this be "access to attrs=userPassword" ?
attr also works, but it is deprecated in openldap 2.3
Joshua M. Miller escreveu:
I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access to attr=userPassword by self write by anonymous auth by * none access to * by self write by * read
My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user).
The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong?
Use this ACLs:
access to attrs=userPassword by self write by * auth
access to attrs=(put here your others attributes *except* userPassword) by self write by * read
I think you misspelled "attrs". You used "attr".
On May 15, 2007, at 8:33 AM, Joshua M. Miller wrote:
I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access to attr=userPassword by self write by anonymous auth by * none access to * by self write by * read
My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user).
The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong?
Thanks,
Joshua M. Miller - RHCE,VCP
openldap-software@openldap.org
-
Jeronimo Zucco -
Joseph Bruni -
Joshua M. Miller -
TechnoSophos