[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Blacklist



> Thanks for the prompt reply, my version of openldap is 2.1.25 - I'm
> using groupOfNames and the entry
>
>
> access	to attr=userPassword
> 	by
> group/groupOfNames/member="cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com"
> none
> 	by users read
> 	by * auth
>
> access 	to *
> 	by * read

I think I had some ham slices on my eyes: the "by group=<> none
does not mathc, because before bind takes place, your user has
no identity.  But the "by * none" matches it, so it gets read
permission on the password as well!  You can't inhibit bind
(how could your DSA be of any use, otherwise?), simply use
"by group=<> none" to everything else, e.g.

access to attrs=userPassword
    by * auth

access to *
    by group=<blacklist dn> none
    by users read
    by * none

note the "by users read"; if you simply do "by * read", then unbound
users would have read privileges, while bound users in blacklist
would not.  I guess the first thing blacklisted user would do is not
to auth any more!

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it