[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access control
On 6/22/05, Buchan Milne <bgmilne@obsidian.co.za> wrote:
> > # Let anonymous users read just the basic attributes
> > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> > attrs=displayName,cn,mail
> > by self write
> > by anonymous read
> > by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> > by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> > by * none
>
> Shouldn't the last line be (assuming these are the attributes you want
> to be visible to anonymous users):
> by * read?
Possibly, but I'm not sure why; I explicitly allow anonymous binds to
read earlier in the ACL. My understanding is the 'by *' clause
catches only users not explicitly listed. I'll experiment with that.
> > #Let only accounts under bindAccts read the rest
> > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> > by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> > by anonymous search
> > by * none
>
> Hmm, all bind accounts can read all attributes of any other users? Like
> userPassword? Maybe not such a good idea.
This isn't the full (or final) ACL. The first entry is the obligatory
"no one can read userPassword" entry. And once I figure out how to
deny all but specified attributes to anonymous users, I will tighten
up the rest of the ACL.
> > With that approach, anonymous users see nothing.
>
> Yep ... because you haven't got an access rule for "anonymous" on the
> first ACL, but you restrict everyone (including anonymous) to none.
Nope. If you look back at the 1st ACL, the second <by> clause allows
anonymous to read.
> > If I comment out the second ACL, the query falls through to the list ACL
> > in my config, which is:
> >
> > access to *
> > by <specific accounts> write
> > by * read
>
> Your last ACL should probably not be "by * read" for what you want to
> accomplish ...
Only if I can't get the second ACL listed above to work. If I can get
it to do what I want, anonymous users will stop there.
> Also, "by users" and "by self" may be useful to you...
Not really. As I stated earlier, I'm trying to restrict what
*anonymous* users can see to an explicitly listed subset of the
attributes in an entry.
-Ben