[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Question to an ACL
Andreas Rudat writes:
> I'm trying to understand these acl's:
>
> {0} to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
> by dn="cn=admin,dc=foo,dc=bar" write <--admin can read/write
> by anonymous auth <--anonyomous can auth
> by self write <--- object owner can read/write
> by * none <--all other users denied
>
> {1}to dn.base=""
> by * read <-- all can read the root dc=foo, dc=bar
> {2}to *
> by dn="cn=admin,dc=studsemi,dc=intern" write <--
> by * read
>
> so with acl 0: users and admin can read/write passwords, all others can
> do nothing with that
Yup. At our site we don't make userPassword readable or searchable by
anyone except the rootdn. I.e. we use '=w' instead of 'write'. Or
'=wx' just in case there are some slapd featues that can use it for
auth.
> acl 1: ALL can read the root dc=foo,dc=bar
No, all can read entry "". Unless you mistyped dn.base="dc=foo,dc=bar".
DN "" is not part of any database. It refers to the root DSE, a
read-only entry describing the server. If you have a database with
suffix "", the ACL also affects add/delete of entries below that (the
pseudo-attribute "children") and non-baseobject searches from DN "".
> acl 2: all other attributes can be read by all others and only admin can
> also modify all other attributes?
>
> so if that is correct, then I think acl 1 isnt needed?
Probably. Its effect here is to prevent ACL 2 for DN "", i.e. it
prevents admin write access for that DN, which makes no difference
except in a database with suffix "".
--
Hallvard