[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Blacklist
> Could anyone give me advice on implementing blacklists, the following
> does not seem to work :
>
> access to attr=userPassword
> by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
> by self read
> by * auth
>
> access to *
> by * read
>
>
> I'd like to replace
>
> by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
>
> with
>
> by group="ou=blacklist,ou=people,dc=mydomain,dc=com" none
>
> but I can't get the basics to work - I've seen postings on whitelist
> access for admin staff but nothing on denying access based on
> groupOfNames.
Blacklisting, AFAIK, is the same as whitelisting,
with access denied instead of allowed.
So, "by group=<blacklist dn> none" is fine.
I infer that your problem is in what the <blacklist dn>
contains, or how it is defined. It must be an entry
of "groupOfNames" objectClass, and those DNs listed
in the "member" attribute will be given the access
privileges you set at the end of the "by" clause, in
your case "none".
see slapd.access(5) for a detailed description of the
access clauses, and be sure you read the manual related
to your software version (which you do not mention:
ACL syntax and sematics don't change very often,
but when they do do it can be a pain somewhere behind).
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it