[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Tons of configuration problems
At 10:58 AM 9/30/99 -0400, Geoffrey E. Gallaway wrote:
>access to attr=userPassword,homeTelephoneNumber,homePostalAddress
> by self write
> by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
> by * none
>access to attr=uid
> by self write
> by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
> by * search
>access to attr=entry
> by self write
> by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
> by * none
You allowed (uid=*) searches by *, but denied any matched entry
to be returned by non-self/admin.
>And once again, these rules need to meet the following requirements:
>* Authenticated users can do anything to their own homeTelephonenumber,
>homePostalAddress and userPassword and "Directory Admin" can do anything
>to those attributes. Anonymous users should *not* be able to do anything
>to those attributes.
Okay, your first rule handles this fine.
>* Authenticated users can do anything to their own uid and Directory
>Admin can do anything to the uid attribute. Anonymous users can only
>search on uid (this is for the purposes of the web page authenitcation).
Okay, but you need to grant read access to allow matches to
be returned.
>* As for the rest of the attributes not allready excepted by the
>previous two rules, authenticated users can do anything to their own
>attributes and Directory Admin can do anything to anyones attributes.
>Anonymous people (non-authenticated) cant do a thing.
Including reading the results of their (uid=*) searches!
I actually recommend you explicitly state which attributes
anonymous users can read. For example, say they can search
by uid and read cn.
# allow self+admin write, others none
access to attr=userPassword,homeTelephoneNumber,homePostalAddress
by self write
by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
by * none
# allow self+admin write, auth read, anon search
access to attr=uid
by self write
by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
by dn=".+" read
by * search
# allow self+admin write, others read
access to attr=entry,cn
by self write
by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
by * read
# allow admin write, self+auth read, anon none
access to *
by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
by dn=".+" read
by * none