Hi Michael,
On 11/04/16 09:11, Michael Ströder wrote:
OK - I'm going to have to get my head around that :) On a test platform... Am I right in thinking the job of the 2nd ACL is because if employeeType is Archive|Delete, the first ACL will simple fall through - so the second ACL is semantically a "Deny All"?
Yepp.
Thanks! That's clearer now.
One other thing - I did not mention, which is retrospect might be important:
I don't let slapd store password hashes - it passes through to Kerberos via saslauthd. So the attribute is of this form:
userPassword: {SASL}someuser@MY.KERB.REALM
I presume that blocking access to userPassword will still cause authentication to fail in this case as it won't be able to do that lookup?
Yes, I think so. But I never used saslauthd myself.
I'll set up a test and confirm to this list (to make the archive of this thread more useful to someone else).
I thought you'd say that :) I'm OK with limiting access to the parent directory (in this case to the slapd user and root). For me, it feels simpler. You may disagree, but I just wanted to say it wasn't an oversight.
Your server, your attack vectors...
:)
Cheers!
Tim
openldap-technical@openldap.org