[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access

To: squeegy+ldap@squeegy.org
Subject: Re: access
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 24 Jan 2000 09:42:16 -0800
Cc: OpenLDAP List <openldap-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.21.0001241206390.18398-100000@wiggles.squeegy.o rg>
References: <3.0.5.32.20000121130927.00988450@infidel.boolean.net>

At 12:10 PM 1/24/00 -0500, squeegy+ldap@squeegy.org wrote:
>I am trying the below which incorporates the changes you suggested.  I am still able
>read anonymously.
>
>access to dn=".*,dc=amsite,dc=com" by dnattr=owner write

This rule is same as:

access to dn=".*,dc=amsite,dc=com"
	by dnattr=owner write
	by * default

where default is your default access (which I suspect is "read").

Assuming your are accessing some entry under "dc=amsite,dc=com",
then other rules don't matter as this rule applied.

# only allow owner to change owner attribute values, might
# be better to disallow owner write of owner value.
access to attr=owner
	 by dnattr=owner write
        by * read    # deny non-self including anon

access to attr=entry
        by self write
	 by dnattr=owner write
        by dn=".+" read
        by * read   # allow anon read of DNs

access to attr=cn,givenName,sn,uid
        by self write
	 by dnattr=owner write
        by dn=".+" read
	 by * search	# allow anon search (but not read)

access to attr=userpassword
        by self write
	 by dnattr=owner write
        by * none    # deny non-self including anon

access to *
        by self write
	 by dnattr=owner write
        by dn=".+" read
        by * none     # deny anon access

Follow-Ups:
- Re: access
  - From: squeegy+ldap@squeegy.org

References:
- Re: access
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Don't permit access for anonymous user...
Next by Date: Re: access
Index(es):
- Chronological
- Thread