A little more on openLDAP

...(and I did refrain from typing openLCRAP).

Having spent another day and a half fighting what I thought I had fixed... here's more.

The sequence is critical in the ACL. From what I've read:
a) the first match takes it, so whatever it hits first is
what's in effect.
b) when you're coming in, first you need the ability to
read with anonymous authority, so that you can look
up who you are, so that you can give it your password,
so you can be authorized to change your password.

Got that? Make sense? Not to me, either. AND they don't give you a default ACL that lets users change their own passwords (and why is that?)

So, I had to change to

access to * # all attributes
by * read # anybody can read it
by self write # only you can write
by anonymous auth # but you come in to start with
# anon authority

access: to attrs=shadowLastChange,userPassword
by self write
by anonymous auth

Geez, what crap. And before someone stands up for it, here's how I would do it:
<I'm coming in>
<do I know your name?>
no) can you do what you want with anon authority?
yes) [ok, let's do what you want]
no) go away, boy, ya bother me.
yes) <ok, do you need a password? [process] yep
<prompt for password>
<password ok?>
yes) [ok, let's do what you want]
no) <are we tired?>
yes) go away, boy, ya bother me.
no) loop to prompt till we get tired
<done>

And what idiot leads you through the process, and *then* looks to see if you're authorized (ldappasswd, interactive)?

mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Relevant Pages

  • Re: A little more on openLDAP
    ... read with anonymous authority, ... your ACLs allowed users to change any entry they own themselves which may not be desirable. ...
    (RedHat)
  • Off Topic -- Corrupted gzip file
    ... I have found myself in a spot of bother with a gzip file of web logs ... further distribution of it is strictly prohibited without our authority. ...
    (SunManagers)
  • Re: America, the new Reich
    ... authority. ... he shouldn't have been calling 911 in that ... I've been asked for my receipts many times -- it doesn't bother me, ... Americans are handing over their rights for simple convenience. ...
    (rec.sport.football.college)
  • Re: Thou shalt have no other gods before the ANSI C standard
    ... >> appeal to authority doesn't count for much in scientific inquiry. ... > a decimal value or a rational fraction that expresses the square ... I am not going to bother trying to prove it. ... > such correspondence. ...
    (sci.crypt)
  • Re: America, the new Reich
    ... I don't believe he has no respect for any type of authority. ... How sad. ... I've been asked for my receipts many times -- it doesn't bother me, ... Sheeple like you sadden me. ...
    (rec.sport.football.college)