[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: minimum ACLs to login to Linux system



> By saying
> 	access to *
> 		by * read
> you're granting read access to non-authenticated users to all areas of
> your LDAP tree that you haven't defined higher up in the config.  What
> I would like to do is the exact opposite, i.e. restrict all access
>  accept to the items explicitly allowed.  I want my last rule to be
> the diametrically opposed to your last rule.

Default-deny policies are more secure than default-permit policies, no
question about it. But pretty much most of the attributes of your user
objects need to be accessible for a Unix system to run normally. For
example, everyone needs to read uid and uidNumber in order to be able to
do "ls -l". Mostly LDAP servers are use to serve information you want
everyone in your organization to have access to.

You could try

access to *
  by users read

which demands that all readers be authenticated. Then you'll need to
configure nss-ldap and pam-ldap (assuming your using Linux) to bind as
specific users. See their man pages for instructions.