[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: minimum ACLs to login to Linux system



Wow that was probably the fastest response I've ever gotten on a public list. :-) That being said, I have a question about your answer.  By saying
	access to *
		by * read
you're granting read access to non-authenticated users to all areas of your LDAP tree that you haven't defined higher up in the config.  What I would like to do is the exact opposite, i.e. restrict all access accept to the items explicitly allowed.  I want my last rule to be the diametrically opposed to your last rule.  Any idea on how that could be done?
Thanks,
Jason
P.S.  Thanks for the whitepaper link.  Definitely some useful info that I hadn't run across before.

-----Original Message-----
From: David Wright [mailto:ichbin@shadlen.org]
Sent: Wednesday, June 12, 2002 5:58 PM
To: Jason Corley
Cc: openldap-software@OpenLDAP.org
Subject: Re: minimum ACLs to login to Linux system



> I'd like to know what is the minimum access an anonymous user needs
> in order to log in to a Linux system.

access to attribute=userPassword
  by self write
  by anonymous auth
  by * none

access to attribute=loginShell,shadowLastChange
  by self write
  by * read

access to *
  by * read

For additional guidance, see my whitepaper (some parts still in progress)
at http://www.metaconsultancy.com/whitepapers.php