Re: A little more on openLDAP
- From: Josh Miller <joshua@xxxxxxxxxxxxxxxxx>
- Date: Fri, 15 Feb 2008 14:10:20 -0800
m.roth2006@xxxxxxx wrote:
b) when you're coming in, first you need the ability toTry this instead:
read with anonymous authority, so that you can look
up who you are, so that you can give it your password,
so you can be authorized to change your password.
access to * # all attributes
by * read # anybody can read it
by self write # only you can write
by anonymous auth # but you come in to start with
# anon authority
access to attrs=shadowLastChange,userPassword
by self write
by anonymous auth
by * none
access to * # all attributes except entries listed above
by * read # anybody can read it
by anonymous auth
Your ordering allows anonymous reading of your passwords and I recommend re-ordering them. Also, your ACLs allowed users to change any entry they own themselves which may not be desirable.
Regards,
Josh, RHCE
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- Follow-Ups:
- Re: A little more on openLDAP
- From: Josh Miller
- Re: A little more on openLDAP
- References:
- A little more on openLDAP
- From: m.roth2006
- A little more on openLDAP
- Prev by Date: A little more on openLDAP
- Next by Date: Re: A little more on openLDAP
- Previous by thread: A little more on openLDAP
- Next by thread: Re: A little more on openLDAP
- Index(es):
Relevant Pages
|
