m.roth2006@xxxxxxx wrote:
b) when you're coming in, first you need the ability to
read with anonymous authority, so that you can look
up who you are, so that you can give it your password,
so you can be authorized to change your password.
access to * # all attributes
by * read # anybody can read it
by self write # only you can write
by anonymous auth # but you come in to start with
# anon authority
Try this instead:
access to attrs=shadowLastChange,userPassword
by self write
by anonymous auth
by * none
access to * # all attributes except entries listed above
by * read # anybody can read it
by anonymous auth
Your ordering allows anonymous reading of your passwords and I recommend
re-ordering them. Also, your ACLs allowed users to change any entry
they own themselves which may not be desirable.
Regards,
Josh, RHCE
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
