[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acl fun
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Primary LDAP server - posixAccount/sambaSamAccount logins
>
> I'm trying to secure things - does this make sense?
> Is there a better way that I might learn something from this?
>
> access to dn=".*,o=Domain,c=US" attr=userPassword
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
> by users write
all users can write eachothers passwords... you might want to change the last
line to 'by self write'.
>
> access to dn="ou=People,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
> by self write
dn defaults to dn.regex.
the string "ou=People,o=Domain,c=US" appears also in the rules below, so they
won't be evaluated. Use. dn.exact or dn.base depending on the version of OL
you are using. dn.exact has my preference.
>
> access to dn="uid=*,ou=People,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
> by users write
users can write in eachtothers entry.
Maybe change the last line into two lines:
by self write
by users read
so users will only be able to read eachothers entries.
>
> access to dn="ou=Groups,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
>
> access to dn="ou=Computers,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
>
> access to dn=".*,o=Domain,c=US"
> by * none
>
> Thanks
> Craig
_Ace
- --
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/+8ovy7boE8xtIjURAvgjAKCNtbrlK+yevx/45LEyCOnS2LgMvQCfZ8mF
siyicw9TPCSmItSiuZ8XCok=
=+ixW
-----END PGP SIGNATURE-----
- References:
- acl fun
- From: Craig White <craigwhite@azapple.com>