[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

To: Buchan Milne <bgmilne@obsidian.co.za>
Subject: Re: Access control
From: Ben Beuchler <insyte@gmail.com>
Date: Wed, 22 Jun 2005 08:28:51 -0500
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=shlRxuEZAmqu0sssb1rM8thozCOG3qWvkDXso2o3sW+pxRiXlt/38ZF04x1gTyNYZv0pm0hnU+WGY0k1WKbBY0rK4yVyPTsQv6rK0I1r+iVA+e8Bzivv6LGqkOM+jYLF+Zg6eeUOLgezs2GgIQBfmr3TLD0iZuElr3tgiKWSLIM=
In-reply-to: <42B959C1.30808@obsidian.co.za>
References: <479b70ed0506211419730d66e3@mail.gmail.com> <42B959C1.30808@obsidian.co.za>

On 6/22/05, Buchan Milne <bgmilne@obsidian.co.za> wrote:

> > # Let anonymous users read just the basic attributes
> > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> > attrs=displayName,cn,mail
> >         by self write
> >         by anonymous read
> >         by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> >         by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> >         by * none
> 
> Shouldn't the last line be (assuming these are the attributes you want
> to be visible to anonymous users):
> by * read?

Possibly, but I'm not sure why; I explicitly allow anonymous binds to
read earlier in the ACL.  My understanding is the 'by *' clause
catches only users not explicitly listed.  I'll experiment with that.

> > #Let only accounts under bindAccts read the rest
> > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> >         by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> >         by anonymous search
> >         by * none
> 
> Hmm, all bind accounts can read all attributes of any other users? Like
> userPassword? Maybe not such a good idea.

This isn't the full (or final) ACL.  The first entry is the obligatory
"no one can read userPassword" entry.  And once I figure out how to
deny all but specified attributes to anonymous users, I will tighten
up the rest of the ACL.

> > With that approach, anonymous users see nothing.
> 
> Yep ... because you haven't got an access rule for "anonymous" on the
> first ACL, but you restrict everyone (including anonymous) to none.

Nope.  If you look back at the 1st ACL, the second <by> clause allows
anonymous to read.

> > If I comment out the second ACL, the query falls through to the list ACL
> > in my config, which is:
> >
> > access to *
> >        by <specific accounts> write
> >        by * read
> 
> Your last ACL should probably not be "by * read" for what you want to
> accomplish ...

Only if I can't get the second ACL listed above to work.  If I can get
it to do what I want, anonymous users will stop there.

> Also, "by users" and "by self" may be useful to you...

Not really.  As I stated earlier, I'm trying to restrict what
*anonymous* users can see to an explicitly listed subset of the
attributes in an entry.

-Ben

References:
- Access control
  - From: Ben Beuchler <insyte@gmail.com>
- Re: Access control
  - From: Buchan Milne <bgmilne@obsidian.co.za>

Prev by Date: Re: cascade replication [auf Viren überprüft]
Next by Date: FW: access to * by * write (stil I can't delete the root dn)
Index(es):
- Chronological
- Thread