In many environments, you do not want to grant anonymous access. You must pay attention to the potential security risks involved. For example, the following ACI rules cause a potential security problem by exposing user passwords.
aci:(target="ldap:///uid=*,ou=people,o=red.siroe.com,o=ugdata")(targetattr="*" (version 3.0;acl"allowproxy-calmaster";allow(proxy)(user dn="ldap:///uid=uid=*, ou=people,o=red.siroe.com,o=ugdata");) |
The lesson here is to use the ACI targetattr rule with caution.
When you implement the above ACI, users’ passwords are now visible. This is confirmed by running the following ldapsearch command:
# ldapsearch -b ou=people,o=red.siroe.com,o=ugdata -D "uid=jhawk,ou=people,o=red.siroe.com,o=ugdata" -w demo "cn=naomi*" | moreuid=nhawkins,ou=People,o=red.siroe.com,o=ugdata uid=nhawkins iplanet-am-modifiable-by=cn=Top-level Admin Role,o=ugdata givenName=Naomi mail=naomi.hawkins@red.siroe.com mailUserStatus=active sn=Hawkins cn=Naomi Hawkins icsStatus=Active mailHost=par.red.siroe.com inetUserStatus=Active userPassword={SSHA}0qCnUCKtNK94ndKmEMlPp8i1Z/SKMAhapz3ZPA== sunUCDefaultApplication=addressbook sunUCTheme=uwc << remainder of output deleted >> |
The highlighted text is the userPassword attribute that you do not want to expose.