Securing OpenLDAP – userPassword issue

Unsecured OpenLDAP (slapd) server…

Output from Solaris 10 box:

-bash-3.00# ldaplist -l passwd test5
dn: uid=test5,ou=People,dc=lab1
uid: test5
cn: Johnny Doe
[..]
homeDirectory: /export/home/test5
userPassword: {MD5}DMF1ucDxtqgxw5niaXcmYQ==

After adding following snippet to OpenLDAP’s slapd.conf file we are preventing anyone from viewing user password(including Solaris LDAP proxy bind, excluding logging in user and admin/Manager of slapd):

access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=lab1" write
by anonymous auth
by self write
by * read


-bash-3.00# ldaplist -l passwd test5
dn: uid=test5,ou=People,dc=lab1
uid: test5
cn: Johnny Doe
[..]
gecos: Johnny Doe,none,0,1,Johnny Doe
homeDirectory: /export/home/test5
-bash-3.00#

3 Responses to “Securing OpenLDAP – userPassword issue”

  1. Proper says:

    To me it looks like the last line should be
    “by * none” instead of “by * read” to achieve exactly what you want

  2. Can you elaborate on this?

  3. Charles says:

    I see a lot of interesting articles on your page.
    You have to spend a lot of time writing, i know how to save you a
    lot of work, there is a tool that creates high quality, SEO
    friendly posts in couple of minutes, just search in google – k2 unlimited content