A little more on openLDAP
Josh Miller
joshua at itsecureadmin.com
Fri Feb 15 22:10:20 UTC 2008
m.roth2006 at rcn.com wrote:
> b) when you're coming in, first you need the ability to
> read with anonymous authority, so that you can look
> up who you are, so that you can give it your password,
> so you can be authorized to change your password.
>
>
> access to * # all attributes
> by * read # anybody can read it
> by self write # only you can write
> by anonymous auth # but you come in to start with
> # anon authority
>
>
Try this instead:
access to attrs=shadowLastChange,userPassword
by self write
by anonymous auth
by * none
access to * # all attributes except entries listed above
by * read # anybody can read it
by anonymous auth
Your ordering allows anonymous reading of your passwords and I recommend
re-ordering them. Also, your ACLs allowed users to change any entry
they own themselves which may not be desirable.
Regards,
Josh, RHCE
More information about the redhat-list
mailing list