On Wed, Jun 29, 2011 at 10:09:54PM -0300, Friedrich Locke wrote:
To which objectclass should the entry belongs to ?
Any class that permits the attribute types that you need. A common choice is inetOrgPerson, but for non-person accounts it is more appropriate to use other classes such as account or organizationalRole - often in combination with the simpleSecurityObject auxiliary class to permit the use of userPassword.
dn: uid=u1,dc=people,dc=example,dc=org objectclass: account objectclass: simpleSecurityObject description: A User uid: u1 userPassword: secret
Note that it is generally best to hash the userPassword value with SSHA.
What about access rules ?
It is normal to prevent everyone from reading passwords - including their own. You need to allow anon to have 'auth' access to the userPassword attribute.
Here is a minimal example:
################################################################ # Users may change their own passwords # Users may read everything except passwords # Anon may read everything except passwords
access to attrs="userPassword" by self =w by * auth
access to * by * read
################################################################
Andrew