I am experimenting with authenticating users off of OpenLDAP. The default deployment from Apple seems to be (at least in my case) completely wide open. I have been trying to find a ACI to block access to the password value. Does anyone have any good resources on this or, better yet, an ACI I can apply?
Robert Threet http://yesistilluseperl.blogspot.com/
____________________________________________________________ Obama Urges Homeowners to Refinance If you owe under $729k you probably qualify for Obama's Refi Program http://thirdpartyoffers.netzero.net/TGL3231/4d0648688b054664b76st03duc
Am Mon, 13 Dec 2010 16:22:44 GMT schrieb "RAT" robert3t@netzero.net:
I am experimenting with authenticating users off of OpenLDAP. The default deployment from Apple seems to be (at least in my case) completely wide open. I have been trying to find a ACI to block access to the password value. Does anyone have any good resources on this or, better yet, an ACI I can apply?
AFAIK Apple has modified and patched openldap heavily and I don't know anything about the Apple version. But if a slapd.conf is still maintained by Apple, something like
access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword by self write by dn.exact="cn=some administrator,dc=example,dc=com" read by * auth access to dn.subtree=dc=example,dc=com" by dn.exact="cn=some administrator,dc=example,dc=com" write by users read by anonymous auth
gives a minimum of security. In the above configuration cn=some administrator is not rootdn but a additional administration function.
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
RAT