Re: ACL or a default deny policy

["Dieter Kluenter" <dieter@dkluenter.de>]

Olivier Nicole <on@cs.ait.ac.th> writes:

> Hi,
>
> I am implementing a directory with OPENLdap and I woul dlike that
> anonymous users could only read ceratin attributes, while all other
> attributes are accessible to authenticated users only.
>
> # ACL 1: Data that the user can change and that the world can see
> access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" 
>        attrs=sn,givenName
>    by group="cn=groupadmin..." write
>    by self write
>    by * read
>
> # ACL 2: Personnal data, that user can change and the world can not see
> access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" 
> 	attrs=gecos,description
>    by group="cn=groupadmin..." write
>    by self write
>    by * none
>
> # ACL 3: any attributes that is not explcitely allowed above is denied
> access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
>    by group="cn=groupadmin..." write
>    by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read
>    by * none
>
> But this is not working. If I do like this, anonymous search will see
> nothing from the user.
>
> I found out some where that the attribute objectClass should always be exposed, so I tried to add it in the ACL 1, but that is not working either, I must haave a last ACL of the form 
>
>
> access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
>    by group="cn=groupadmin..." write
>    by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read
>    by * read
>
> and I don't see where my reasoning is getting wrong.

The pseudo attributes entry and children of the leafnode
ou=people,... are not accessible.
Run slapd in debugging mode acl to watch access control parsing.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6