m.roth2006@(protected):
> b) when you're coming in, first you need the ability to
>    read with anonymous authority, so that you can look
>    up who you are, so that you can give it your password,
>    so you can be authorized to change your password.
>
>
> access to *         # all attributes
>      by * read     # anybody can read it
>      by self write  # only you can write
>      by anonymous auth  # but you come in to start with
>                   # anon authority
>
>  
Try this instead:

access to attrs=shadowLastChange,userPassword
    by self write
    by anonymous auth
 by * none

access to *         # all attributes except entries listed above
    by * read     # anybody can read it
    by anonymous auth
               

Your ordering allows anonymous reading of your passwords and I recommend
re-ordering them. Also, your ACLs allowed users to change any entry
they own themselves which may not be desirable.

Regards,
Josh, RHCE

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)
https://www.redhat.com/mailman/listinfo/redhat-list