[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: more access permission
Today at 12:17pm, Douglas B. Jones wrote:
> (&(uid=john)(objectClass=person))
> (uid=john)
>
> Now, is are there any security concerns about putting in the
> access rules read to 'objectClass', such as:
>
> access to attrs=entry,uid,sn,mail,ou,cn,givenname,objectClass
> by users read
> by anonymous read
The hole you are opening is that by knowing the objectClass(es) the
entry has, one can find out what attributes that entry must and may
have. Therefore, if that bothers you, then I'd recommend the following:
access to attrs=objectClass
by * compare
access to attrs=entry,uid,sn,mail,ou,cn,givenname
by * read
That will force the *bad people* to do an explicit compare for every
possible objectClass to see what the entry has (unless giving read
access to the entry allows one to read everything -- dunno, haven't
played with "entry" in any of my ACL's).
I used "*" in those ACL's because that's really what you are doing,
anonymous is (I suppose) clearer to some folks.
--
Frank Swasey | http://www.uvm.edu/~fcs
Systems Programmer | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
=== God Bless Us All ===