6:16 a.m.
I'm trying to figure out what my ACL should be in slapd.conf. What I
want is that a user can change his/her password, but they won't be able
to read any other user's password. Right now what I have is not
restrictive enough. I've read the OpenLDAP admin guide on ACLs but it
was not clear to me what I should use. What I have currently is below.
What do I need to change it to to have the results I want?
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * read
by * none
access to *
by * read
6:34 a.m.
I'm trying to figure out what my ACL should be in slapd.conf.
What I
want is that a user can change his/her password, but they won't be able
to read any other user's password. Right now what I have is not
restrictive enough. I've read the OpenLDAP admin guide on ACLs but it
was not clear to me what I should use. What I have currently is below.
What do I need to change it to to have the results I want?
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * read
by * none
As you put "by * read" anyone can read the three specified attribute,
delete this line, and anonymous use will be able to authenticate, the
node will be able to modified itself, and all other kind of users will
have a denied access
access to *
by * read
With this place after, all the directory will be visible by everybody
(including anonymous one), perhaps it should be better to put here "by
user read" but it just a "supposition" as I don't know what do you want
to do with your directory.
Best regards
Denis Sacchet
--
Denis Sacchet aka. Ouba ("`-/")_.-'"``-._
. . `; -._ )-;-,_`)
"Computers are like air conditionners (v_,)' _ )`-.\ ``-'
They stop working properly when you _.- _..-_/ / ((.'
open Windows !!!" ((,.-' ((,/
6:44 a.m.
Denis Sacchet wrote:
As you put "by * read" anyone can read the three specified
attribute,
delete this line, and anonymous use will be able to authenticate, the
node will be able to modified itself, and all other kind of users will
have a denied access
> access to *
> by * read
With this place after, all the directory will be visible by everybody
(including anonymous one), perhaps it should be better to put here "by
user read" but it just a "supposition" as I don't know what do you
want to do with your directory.
Best regards
Denis Sacchet
thanks, when I changed
access to *
by * read
to
access to *
by self read
and restart slapd, i can't log in properly. the setting is too restrictive.
id: cannot find name for user ID 511
[I have no name!@roark ~]$
and when I put it as
access to *
by user read
slapd complains that the configuration file is not valid. I'm just
trying to have my directory work, where users can log in to their shell
account file, samba users can authenticate fine, and no one can see or
change anyone else's passwords.
so now my ACL is:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
6:49 a.m.
what user do you use with pam_ldap / nss_ldap / samba to access to the
directory ? My ACLs are a quite complicated because I have also postfix,
apache, egroupware who access to the different entries / attribute, but
I have a different user for each service, and set the ACLs depending of
this user ... I don't know if I can't put the whole set of ACLs on this
list (about 100 lines), but everything works fine and nobody can access
or modify data they don't have the right ...
If you are interested, I can mail you directly the part of config file
you are interested in ...
Denis
Adam Williams wrote:
Denis Sacchet wrote:
> As you put "by * read" anyone can read the three specified attribute,
> delete this line, and anonymous use will be able to authenticate, the
> node will be able to modified itself, and all other kind of users will
> have a denied access
>
>
>> access to *
>> by * read
>
> With this place after, all the directory will be visible by everybody
> (including anonymous one), perhaps it should be better to put here "by
> user read" but it just a "supposition" as I don't know what do you
> want to do with your directory.
>
> Best regards
>
> Denis Sacchet
>
thanks, when I changed
access to *
by * read
to
access to *
by self read
and restart slapd, i can't log in properly. the setting is too
restrictive.
id: cannot find name for user ID 511
[I have no name!@roark ~]$
and when I put it as
access to *
by user read
slapd complains that the configuration file is not valid. I'm just
trying to have my directory work, where users can log in to their shell
account file, samba users can authenticate fine, and no one can see or
change anyone else's passwords.
so now my ACL is:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
--
Denis Sacchet aka. Ouba ("`-/")_.-'"``-._
. . `; -._ )-;-,_`)
"Computers are like air conditionners (v_,)' _ )`-.\ ``-'
They stop working properly when you _.- _..-_/ / ((.'
open Windows !!!" ((,.-' ((,/
8:24 a.m.
On Monday 28 January 2008 18:21:48 Buchan Milne wrote:
On Monday 28 January 2008 16:44:34 Adam Williams wrote:
> thanks, when I changed
>
> access to *
> by * read
>
> to
>
> access to *
> by self read
>
> and restart slapd, i can't log in properly. the setting is too
> restrictive.
No, it is not. Did you read my reply on the nss_ldap list ?
http://www.nabble.com/id:-cannot-find-name-for-user-ID---to15090601.html
2:11 a.m.
Adam Williams wrote:
access to *
by self read
and restart slapd, i can't log in properly. the setting is too
restrictive.
OpenLDAP's FAQ-O-MATIC contains a lot of useful information about ACLs:
http://www.openldap.org/faq/data/cache/189.html
In particular:
http://www.openldap.org/faq/data/cache/320.html
Ciao, Michael.
5522
days inactive
5534
days old
openldap-software@openldap.org
7 comments
5 participants
participants (5)
-
Adam Williams -
Buchan Milne -
Denis Sacchet -
gustavo panizzo <gfa> -
Michael Ströder