On Wed, Apr 14, 2010 at 04:00:26PM -0400, Matt Ingram wrote: > access to attrs=userPassword > by > group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" > > write > by dn.children="ou=Admins,dc=domain,dc=com" write > by self write > by * auth > > trying to achieve write access for the ldappers group, children of the > Admins ou and self. by self write should give a user the ability to change > their password, correct ? Is there a better ACL for what I'm trying to > achieve ?
You have indeed given those users the ability to change the password. However, you have also given them the ability to *read* it (because 'write' includes 'read' in OpenLDAP ACLs). This is not usually necessary, and even if the password is hashed it is good practice to prevent it being read. >> One comment I would make about your ACLs is that in several places you >> are granting read access to userPassword. This is not usually >> necessary nor is it a good idea. You need 'by * auth' access to permit >> authentication, but only need to give '=w' access to those who need to >> change passwords. Remember that the 'write' keyword includes read access. If you replace 'write' with '=w' in the access statement above, you will still give those users the ability to change the password but they will not be able to read the existing password. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------