[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: access and filters
while you weren't looking, Kurt D. Zeilenga (Kurt@OpenLDAP.org) wrote:
[...]
> Before you write any ACLs, you should write down what
> your desired access policy.
I kind-of had; I think the problem is more in my English to OpenLDAP
ACL translation skills...
> From what you've said here, your desired policy is something like:
> a) allow anonymous users to search for authentication
> identity (but not read entry contents)
> b) allow authentication using identity and password
> c) allow authenticated users read access to everything
> except passwords
> d) allow users to update their object
> e) allow managers to update anything and everything
Other than that authenticated users should only be able to read their
own object, on the nose. Since they'll never directly interact with
LDAP, however, and are instead mediated through a PHP script their
login process calls, this works well enough as is. I can always go
back and tighten things down later.
Many thanks, Kurt. My directory works as desired now.
Cheers,
/rls
--
Rosser Schwarz
Total Card, Inc.