[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: minimum ACLs to login to Linux system

To: "David Wright" <ichbin@shadlen.org>
Subject: RE: minimum ACLs to login to Linux system
From: "Jason Corley" <Jason.Corley@togethersoft.com>
Date: Wed, 12 Jun 2002 18:07:53 -0400
Cc: <openldap-software@OpenLDAP.org>
Content-class: urn:content-classes:message
Thread-index: AcISXCeGD3cZtQlmRzKTv8OeIYk03wAAOXxQ
Thread-topic: minimum ACLs to login to Linux system

Wow that was probably the fastest response I've ever gotten on a public list. :-) That being said, I have a question about your answer.  By saying
	access to *
		by * read
you're granting read access to non-authenticated users to all areas of your LDAP tree that you haven't defined higher up in the config.  What I would like to do is the exact opposite, i.e. restrict all access accept to the items explicitly allowed.  I want my last rule to be the diametrically opposed to your last rule.  Any idea on how that could be done?
Thanks,
Jason
P.S.  Thanks for the whitepaper link.  Definitely some useful info that I hadn't run across before.

-----Original Message-----
From: David Wright [mailto:ichbin@shadlen.org]
Sent: Wednesday, June 12, 2002 5:58 PM
To: Jason Corley
Cc: openldap-software@OpenLDAP.org
Subject: Re: minimum ACLs to login to Linux system



> I'd like to know what is the minimum access an anonymous user needs
> in order to log in to a Linux system.

access to attribute=userPassword
  by self write
  by anonymous auth
  by * none

access to attribute=loginShell,shadowLastChange
  by self write
  by * read

access to *
  by * read

For additional guidance, see my whitepaper (some parts still in progress)
at http://www.metaconsultancy.com/whitepapers.php

Follow-Ups:
- RE: minimum ACLs to login to Linux system
  - From: David Wright <ichbin@shadlen.org>

Prev by Date: Re: minimum ACLs to login to Linux system
Next by Date: RE: minimum ACLs to login to Linux system
Index(es):
- Chronological
- Thread