Re: [courier-users] Re: {CRYPT} with auth_passwd
This is a discussion on Re: [courier-users] Re: {CRYPT} with auth_passwd within the Courier-Imap forums, part of the Mail Servers and Related category; Lloyd Zusman wrote: > > OK. So what should it look like? Something like this, perhaps? > > access to ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-17-2006
|
|||
|
|||
Re: [courier-users] Re: {CRYPT} with auth_passwd
Lloyd Zusman wrote:
> > OK. So what should it look like? Something like this, perhaps? > > access to userPassword > by self write > by anonymous auth > by * read "It" is not a single rule, it's a whole policy. When you're designing ACIs for LDAP, it's typical to start with a rule that grants read access to all attributes except for passwords to all users. Then grant write access to "self" for the specific attributes you want them to be able to write. (Except, of course, that OpenLDAP stops at the first match in its config file, so you list these in reverse order) The "Sample access control policy" present in the default OpenLDAP slapd.conf is not suitable for real world use. A fairly minimal, secure set of ACIs for OpenLDAP would look like this: access to attr=userPassword by self write by anonymous auth by * none access to attr=loginShell,homePhone,mobile,pager by self write by * read access to * by * read ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642 _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/.../courier-users 
|
Linear Mode
