[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access questions
>> >> >> I think I understand that default access for everything that
>> >> >> does not have any access rule is to allow read permission to
>> >> >> everyone. All other entries (that have some form of access
>> >> >> rules) will have a default of "access to * by * none" applied.
>> >> >> I'd like instead to have all defaults be no access.
>> >> >>
>> >> >> I have a directory that will be used for internal email
>> >> >> processes and also have a certain amount of public/anonymous
>> >> >> access (but only to chosen attributes). Due to the
>> >> >> public/anonymous component, I'd like to have default access
>> >> >> rules be as restrictive as possible.
>> >> >>
>> >> >> Does it make sense to (do people commonly) set a global access
>> >> >> of "access to * by * none" and then open access up for
>> >> >> individual databases as desired?
>> >> >>
>> >> >> I'm thinking a global rule:
>> >> >>
>> >> >> access to *
>> >> >> by dn.base="cn=Manager,dc=example,dc=com" write
>> >> >> by * none
>> >> >>
>> >> >> Then each database will have to explicitly open access only as
>> >> >> much as needed.
>> >> >
>> >> > No, that is not the way ACL's work.
>> >>
>> >> The rules I suggested were a result of reading through all the
>> >> documentation. Can you please be more specific as to what part of
>> >> my suggestion is wrong-headed or will not work?
>> >>
>> >> Or can someone else give it a try?
>> >
>> > The most important sentence is:
>> > Access
>> > control checking stops at the first match of the <what> and
>> > <who> clause, unless otherwise dictated by the <control> clause.
>> >
>> > According to your rule set checking will stop at the first rule,
>> > that is " access to * by * none".
>>
>> That rule being a global rule, my understanding is that it gets
>> appended to rules that are specified for any one database. This is
>> redundant because any defined rules automatically have "access to * by
>> * none" appended to them.
>>
>> However, the reason I propose it is to ensure that any other access to
>> the LDAP server is denied in case some other database mistakenly
>> doesn't have rules, etc. -- just a secure fallback, a very common way
>> to approach publicly accessible systems as I'm sure you know.
>>
>> Does that clarify that part of my original inquiry?
>
> Just test it, as i mentionend,run slapd in debugging mode with acl
> parsing, or test with slapacl(8).
With due respect, if upon testing it does not work, my question still
remains - how can I make the default/global access rule to deny access
to everything for everyone?
I was also wondering if the rest of my rules made sense or not (see
first post in thread).