[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access questions

To: openldap-technical@openldap.org
Subject: Re: Access questions
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Tue, 15 Jan 2013 07:28:31 +0100
In-reply-to: <CALBCx2fQ0o+5-Qu=CMyGyiUEiaW36zWusny6xO4sQYEkKjNbpw@mail.gmail.com>
Organization: AVCI
References: <CALBCx2fQ0o+5-Qu=CMyGyiUEiaW36zWusny6xO4sQYEkKjNbpw@mail.gmail.com>

Am Mon, 14 Jan 2013 21:11:26 -0800
schrieb Ori Bani <oribani@gmail.com>:

> Hello,
> 
> I think I understand that default access for everything that does not
> have any access rule is to allow read permission to everyone.  All
> other entries (that have some form of access rules) will have a
> default of "access to * by * none" applied.  I'd like instead to have
> all defaults be no access.
> 
> I have a directory that will be used for internal email processes and
> also have a certain amount of public/anonymous access (but only to
> chosen attributes).  Due to the public/anonymous component, I'd like
> to have default access rules be as restrictive as possible.
> 
> Does it make sense to (do people commonly) set a global access of
> "access to * by * none" and then open access up for individual
> databases as desired?
> 
> I'm thinking a global rule:
> 
> access to *
>      by dn.base="cn=Manager,dc=example,dc=com" write
>      by * none
> 
> Then each database will have to explicitly open access only as much
> as needed.

No, that is not the way ACL's work.
[...]
> 
> Any tips much appreciated.
> 

man slapd.acess(5) and
http://www.openldap.org/faq/data/cache/189.html

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- Re: Access questions
  - From: Ori Bani <oribani@gmail.com>

References:
- Access questions
  - From: Ori Bani <oribani@gmail.com>

Prev by Date: Re: kernel: slapd[7962]: segfault
Next by Date: Re: kernel: slapd[7962]: segfault
Index(es):
- Chronological
- Thread