[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: problem with access control
> Ottavio Campana <ottavio@campana.vi.it> 03/08/04 07:09pm >>>
>Frank Thyes wrote:
>> Should be enough....
>
>by the way, I'm thinking that maybe I can get some collision beetwen
the
>access rules. I've got:
>
>access to attribute=userPassword
> by dn="cn=amministratore,dc=campana,dc=vi,dc=it" write
> by anonymous auth
> by self write
> by * none
>
>
>access to dn.base="" by * read
>
>
>access to *
> by dn="cn=amministratore,dc=campana,dc=vi,dc=it" write
> by * read
>
>
>access to dn.subtree="ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it"
> by dn="uid=bott,ou=Users,dc=campana,dc=vi,dc=it" write
> by * none
>
>maybe is the third rule that isn't hidden by the last one?
>
>In this situation how should I change the third rule so that everyone
>doesn't get read access to ou=Rubriche,dc=campana,dc=vi,dc=it and
>everything in it?
>
>And on one last thing: can I create a rule that allows
>cn=amministratore,dc=campana,dc=vi,dc=it to login only from
localhost?
>
>--
>Non c'è più forza nella normalità, c'è solo monotonia.
You need to move your rule for the addressbooks up.
In general, I try to have my access rules go from the more specific
(ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it) to the more general (*).
That way, you are sure that requests for the leafs deeper in the tree
are granted or denied first.
In your case, when OpenLDAP receives a query for read access to the
subtree of ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it and it sees
that * has read access to *, it stops processing the access rules and
grants access. If, however, it sees that * has no access to
ou=Ottavio,ou=Rubriche,dc=campana,dc=vi,dc=it, it will stop there and
deny access.
Mike.