Re: Apologies - ACL question

[Mike Thomas <mike@bedarra.com>]

 Thanks much.

"Kurt D. Zeilenga" wrote:

> At 11:55 AM 6/15/00 -0400, Michael Thomas wrote:
> > => access_allowed: exit (mail=mike@foo.com, ou=Employees, dc=foo,
> >dc=com) attr (entry)
> >acl: access to entry not allowed
>
> You did not grant access to the entry psuedo attribute.
> You likely should make the following changes:
>
> >
> >
> >defaultaccess  none
> >
> >access to attr=userPassword
> > by self write
> > by dn="cn=Administrator,dc=foo,dc=com" write
> > by dn="^$$" compare
> > by * none
>
> not sure why you grant anonymous uses the right to
> compare userPassword values.  Seems quite inappropriate
> (and not needed for authentication).

  Thought it was required after reading some random info. Since removed

>
>
> >access to attr=mail
> > by dn=".*,ou=Employees,dc=foo,dc=com" write
> > by dn="^$$" search
> > by * none
>
> You grant anonymous ability to search by mail and
> uid, but not permission to read mail and uid.
> Read is need if you desire to have these values
> returned.

  Netscape asks you for your e-mail, then searches for the DN containing
that e-mail, then
authenticates you based on that DN. I didn't grant read because I don't
think anonymous needs to read the attribute.

>
> access to attr=entry
>   by self write
>   by dn="cn=Administrator,dc=foo,dc=com" write
>   by dn=".*,ou=Employees,dc=foo,dc=com" write
>   by dn="^$$" read
>   by * none

 What does granting anonymous read to entry mean? Can any anonymously
bound users obtain the DN's for all entries this way?

 Thanks/