test

Avoiding ACI Problems with Outlook Connector

Misused ACI Rules

In many environments, you do not want to grant anonymous access. You must pay attention to the potential security risks involved. For example, the following ACI rules cause a potential security problem by exposing user passwords.


aci:(target="ldap:///uid=*,ou=people,o=red.siroe.com,o=ugdata")(targetattr="*"
(version 3.0;acl"allowproxy-calmaster";allow(proxy)(user dn="ldap:///uid=uid=*,
ou=people,o=red.siroe.com,o=ugdata");)

The lesson here is to use the ACI targetattr rule with caution.

When you implement the above ACI, users’ passwords are now visible. This is confirmed by running the following ldapsearch command:


# ldapsearch -b ou=people,o=red.siroe.com,o=ugdata -D "uid=jhawk,ou=people,o=red.siroe.com,o=ugdata"
-w demo "cn=naomi*" | moreuid=nhawkins,ou=People,o=red.siroe.com,o=ugdata uid=nhawkins
iplanet-am-modifiable-by=cn=Top-level Admin Role,o=ugdata
givenName=Naomi
mail=naomi.hawkins@red.siroe.com
mailUserStatus=active
sn=Hawkins
cn=Naomi Hawkins
icsStatus=Active
mailHost=par.red.siroe.com
inetUserStatus=Active
userPassword={SSHA}0qCnUCKtNK94ndKmEMlPp8i1Z/SKMAhapz3ZPA==
sunUCDefaultApplication=addressbook
sunUCTheme=uwc
<< remainder of output deleted >>

The highlighted text is the userPassword attribute that you do not want to expose.