[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

To: Ben Beuchler <insyte@gmail.com>
Subject: Re: Access control
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Wed, 22 Jun 2005 14:29:53 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <479b70ed0506211419730d66e3@mail.gmail.com>
References: <479b70ed0506211419730d66e3@mail.gmail.com>
User-agent: Mozilla Thunderbird 1.0.2 (X11/20050322)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ben Beuchler wrote:
> By the time we roll in our OS X, mail, and internal data, individual
> directory entries are getting quite large.  I would like to restrict
> anonymous queries to just retrieving a small subset of attributes (cn,
> displayName, mail, ou, etc.).
>
> Is there some method that would allow me to specify which attributes
> an anonymous user can see, and default to denying the rest?
>
> This is what I tried:
>
> -------------------
>
> # Let anonymous users read just the basic attributes
> access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> attrs=displayName,cn,mail
>         by self write
>         by anonymous read
>         by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
>         by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
>         by * none

Shouldn't the last line be (assuming these are the attributes you want
to be visible to anonymous users):
by * read
?

> #Let only accounts under bindAccts read the rest
> access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
>         by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
>         by anonymous search
>         by * none
>

Hmm, all bind accounts can read all attributes of any other users? Like
userPassword? Maybe not such a good idea.

> --------------------
>
> With that approach, anonymous users see nothing.

Yep ... because you haven't got an access rule for "anonymous" on the
first ACL, but you restrict everyone (including anonymous) to none.

>  If I comment out the
> second ACL, the query falls through to the list ACL in my config,
> which is:
>
> access to *
>        by <specific accounts> write
>        by * read

Your last ACL should probably not be "by * read" for what you want to
accomplish ...

Also, "by users" and "by self" may be useful to you ... so please read
slapd.access(5).

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng          RHCE (803004789010797),LPIC-1 (LPI000074592)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCuVnBrJK6UGDSBKcRAkl5AJ4+ooYCg0G9UgcjuFPJufKC2ZpX7QCaAnCT
HFv2lJoZWvQnb23Zt6sqjGE=
=xnPZ
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Access control
  - From: Ben Beuchler <insyte@gmail.com>

References:
- Access control
  - From: Ben Beuchler <insyte@gmail.com>

Prev by Date: openldap 2.3 recommended bdb version
Next by Date: Re: using openldap with mac os x clients
Index(es):
- Chronological
- Thread