[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tons of configuration problems

To: "Geoffrey E. Gallaway" <geoffeg@fuse.net>
Subject: Re: Tons of configuration problems
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 01 Oct 1999 16:14:51 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <37F37A7A.4B07DAA6@fuse.net>

At 10:58 AM 9/30/99 -0400, Geoffrey E. Gallaway wrote:
>access to attr=userPassword,homeTelephoneNumber,homePostalAddress
>        by self write
>        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
>        by * none
>access to attr=uid
>        by self write
>        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
>        by * search
>access to attr=entry
>        by self write
>        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
>        by * none

You allowed (uid=*) searches by *, but denied any matched entry
to be returned by non-self/admin.

>And once again, these rules need to meet the following requirements:
>* Authenticated users can do anything to their own homeTelephonenumber,
>homePostalAddress and userPassword and "Directory Admin" can do anything
>to those attributes. Anonymous users should *not* be able to do anything
>to those attributes.

Okay, your first rule handles this fine.

>* Authenticated users can do anything to their own uid and Directory
>Admin can do anything to the uid attribute. Anonymous users can only
>search on uid (this is for the purposes of the web page authenitcation).

Okay, but you need to grant read access to allow matches to
be returned.

>* As for the rest of the attributes not allready excepted by the
>previous two rules, authenticated users can do anything to their own
>attributes and Directory Admin can do anything to anyones attributes.
>Anonymous people (non-authenticated) cant do a thing.

Including reading the results of their (uid=*) searches!

I actually recommend you explicitly state which attributes
anonymous users can read.  For example, say they can search
by uid and read cn.

# allow self+admin write, others none
access to attr=userPassword,homeTelephoneNumber,homePostalAddress
        by self write
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
        by * none

# allow self+admin write, auth read, anon search
access to attr=uid
        by self write
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
	 by dn=".+" read
        by * search

# allow self+admin write, others read
access to attr=entry,cn
        by self write
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
        by * read

# allow admin write, self+auth read, anon none
access to *
        by dn="cn=Directory Admin,o=ZoomTown.com,c=US" write
	 by dn=".+" read
        by * none

Prev by Date: Re: Host and C Compile error
Next by Date: Re: Backing up LDAP database
Index(es):
- Chronological
- Thread