On Mon, 16 Jan 2006, Lloyd Zusman wrote:
> Gordon Messmer <[EMAIL PROTECTED]> writes:
>
> > Lloyd Zusman wrote:
> >> OK, OK ... I found it. I added this to slapd.conf:
> >> access to *
> >> by self write
> >> by anonymous auth
> >> by * read
> >
> > Yeah... Your users can now change their login shell and uid (attribute
> > "uidNumber"). Obviously, this is bad.
> >
> > Be specific when granting write access. Only grant access to the
> > specific attributes that users need to be able to change.
>
> OK. So what should it look like? Something like this, perhaps?
>
> access to userPassword
> by self write
> by anonymous auth
> by * read
>
> Thanks.
>
I use the following in slapd.conf:
include /etc/openldap/slapd.access.conf
access to *
by self write
by users read
by anonymous auth
and amongst other settings in slapd.access.conf i use:
# slapd access control directives
access to attr=userPassword,clearPassword,lmPassword,ntPassword
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by self write
by anonymous auth
by * none
My 2-cents worth.
Larry.
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
