[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with ACLs

To: Adam Williams <awilliam@mdah.state.ms.us>
Subject: Re: help with ACLs
From: Denis Sacchet <ouba@ouba.org>
Date: Mon, 28 Jan 2008 15:49:04 +0100
Cc: openldap-software@openldap.org
In-reply-to: <479DEA52.7010505@mdah.state.ms.us>
References: <479DE3C9.3000104@mdah.state.ms.us> <479DE7E9.4080606@ouba.org> <479DEA52.7010505@mdah.state.ms.us>
User-agent: Thunderbird 2.0.0.6 (X11/20071022)

what user do you use with pam_ldap / nss_ldap / samba to access to the directory ? My ACLs are a quite complicated because I have also postfix, apache, egroupware who access to the different entries / attribute, but I have a different user for each service, and set the ACLs depending of this user ... I don't know if I can't put the whole set of ACLs on this list (about 100 lines), but everything works fine and nobody can access or modify data they don't have the right ...

If you are interested, I can mail you directly the part of config file you are interested in ...

Denis

Adam Williams wrote:

Denis Sacchet wrote:
As you put "by * read" anyone can read the three specified attribute, delete this line, and anonymous use will be able to authenticate, the node will be able to modified itself, and all other kind of users will have a denied access
access to *
       by * read
With this place after, all the directory will be visible by everybody (including anonymous one), perhaps it should be better to put here "by user read" but it just a "supposition" as I don't know what do you want to do with your directory.
Best regards
Denis Sacchet
thanks, when I changed
access to *
      by * read
to
access to *
      by self read
and restart slapd, i can't log in properly. the setting is too restrictive.
id: cannot find name for user ID 511
[I have no name!@roark ~]$
and when I put it as
access to *
   by user read
slapd complains that the configuration file is not valid. I'm just trying to have my directory work, where users can log in to their shell account file, samba users can authenticate fine, and no one can see or change anyone else's passwords.
so now my ACL is:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
       by self write
       by anonymous auth
       by * none
access to *
       by * read


--
Denis Sacchet aka. Ouba                     ("`-/")_.-'"``-._
                                             . . `; -._    )-;-,_`)
"Computers are like air conditionners       (v_,)'  _  )`-.\  ``-'
They stop working properly when you        _.- _..-_/ / ((.'
open Windows !!!"                        ((,.-'   ((,/

References:
- help with ACLs
  - From: Adam Williams <awilliam@mdah.state.ms.us>
- Re: help with ACLs
  - From: Denis Sacchet <ouba@ouba.org>
- Re: help with ACLs
  - From: Adam Williams <awilliam@mdah.state.ms.us>

Prev by Date: Re: help with ACLs
Next by Date: meaning of timeout value in ldap_search_ext
Index(es):
- Chronological
- Thread