[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben Beuchler wrote:
> By the time we roll in our OS X, mail, and internal data, individual
> directory entries are getting quite large. I would like to restrict
> anonymous queries to just retrieving a small subset of attributes (cn,
> displayName, mail, ou, etc.).
>
> Is there some method that would allow me to specify which attributes
> an anonymous user can see, and default to denying the rest?
>
> This is what I tried:
>
> -------------------
>
> # Let anonymous users read just the basic attributes
> access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> attrs=displayName,cn,mail
> by self write
> by anonymous read
> by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> by * none
Shouldn't the last line be (assuming these are the attributes you want
to be visible to anonymous users):
by * read
?
> #Let only accounts under bindAccts read the rest
> access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> by anonymous search
> by * none
>
Hmm, all bind accounts can read all attributes of any other users? Like
userPassword? Maybe not such a good idea.
> --------------------
>
> With that approach, anonymous users see nothing.
Yep ... because you haven't got an access rule for "anonymous" on the
first ACL, but you restrict everyone (including anonymous) to none.
> If I comment out the
> second ACL, the query falls through to the list ACL in my config,
> which is:
>
> access to *
> by <specific accounts> write
> by * read
Your last ACL should probably not be "by * read" for what you want to
accomplish ...
Also, "by users" and "by self" may be useful to you ... so please read
slapd.access(5).
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797),LPIC-1 (LPI000074592)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCuVnBrJK6UGDSBKcRAkl5AJ4+ooYCg0G9UgcjuFPJufKC2ZpX7QCaAnCT
HFv2lJoZWvQnb23Zt6sqjGE=
=xnPZ
-----END PGP SIGNATURE-----