[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: problem with access control



> Ottavio Campana <ottavio@campana.vi.it> 03/08/04 07:09pm >>>
>Frank Thyes wrote:
>> Should be enough....
>
>by the way, I'm thinking that maybe I can get some collision beetwen
the 
>access rules. I've got:
>
>access to attribute=userPassword
>         by dn="cn=amministratore,dc=campana,dc=vi,dc=it" write
>         by anonymous auth
>         by self write
>         by * none
> 
>
>access to dn.base="" by * read
> 
>
>access to *
>         by dn="cn=amministratore,dc=campana,dc=vi,dc=it" write
>         by * read
> 
>
>access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it"
>         by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write
>         by * none
>
>maybe is the third rule that isn't hidden by the last one?
>
>In this situation how should I change the third rule so that everyone

>doesn't get read access to ou=Rubriche,dc=campana,dc=vi,dc=it and 
>everything in it?
>
>And on one last thing: can I create a rule that allows 
>cn=amministratore,dc=campana,dc=vi,dc=it to login only from
localhost?
>
>-- 
>Non c'è più forza nella normalità, c'è solo monotonia.

You need to move your rule for the addressbooks up.

In general, I try to have my access rules go from the more specific
(ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it) to the more general (*).
That way, you are sure that requests for the leafs deeper in the tree
are granted or denied first.

In your case, when OpenLDAP receives a query for read access to the
subtree of ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it and it sees
that * has read access to *, it stops processing the access rules and
grants access. If, however, it sees that * has no access to
ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it, it will stop there and
deny access.

Mike.