[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access



At 12:10 PM 1/24/00 -0500, squeegy+ldap@squeegy.org wrote:
>I am trying the below which incorporates the changes you suggested.  I am still able
>read anonymously.
>
>access to dn=".*,dc=amsite,dc=com" by dnattr=owner write

This rule is same as:

access to dn=".*,dc=amsite,dc=com"
	by dnattr=owner write
	by * default

where default is your default access (which I suspect is "read").

Assuming your are accessing some entry under "dc=amsite,dc=com",
then other rules don't matter as this rule applied.

# only allow owner to change owner attribute values, might
# be better to disallow owner write of owner value.
access to attr=owner
	 by dnattr=owner write
        by * read    # deny non-self including anon

access to attr=entry
        by self write
	 by dnattr=owner write
        by dn=".+" read
        by * read   # allow anon read of DNs

access to attr=cn,givenName,sn,uid
        by self write
	 by dnattr=owner write
        by dn=".+" read
	 by * search	# allow anon search (but not read)

access to attr=userpassword
        by self write
	 by dnattr=owner write
        by * none    # deny non-self including anon

access to *
        by self write
	 by dnattr=owner write
        by dn=".+" read
        by * none     # deny anon access