Re: [courier-users] Re: {CRYPT} with auth_passwd

On Mon, 16 Jan 2006, Lloyd Zusman wrote:

> Gordon Messmer <yinyang@eburg.com> writes:
>
> > Lloyd Zusman wrote:
> >> OK, OK ... I found it. I added this to slapd.conf:
> >> access to *
> >> by self write
> >> by anonymous auth
> >> by * read
> >
> > Yeah... Your users can now change their login shell and uid (attribute
> > "uidNumber"). Obviously, this is bad.
> >
> > Be specific when granting write access. Only grant access to the
> > specific attributes that users need to be able to change.
>
> OK. So what should it look like? Something like this, perhaps?
>
> access to userPassword
> by self write
> by anonymous auth
> by * read
>
> Thanks.
>

I use the following in slapd.conf:

include /etc/openldap/slapd.access.conf
access to *
by self write
by users read
by anonymous auth


and amongst other settings in slapd.access.conf i use:

# slapd access control directives

access to attr=userPassword,clearPassword,lmPassword,ntPassw ord
by dn.base="cn=Manager,dc=mydomain,dc=com" write
by self write
by anonymous auth
by * none


My 2-cents worth.

Larry.



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users