[Date Prev][Date Next] [Chronological] [Thread] [Top]

HEADS UP: ACL Changes

To: openldap-devel@OpenLDAP.org
Subject: HEADS UP: ACL Changes
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 04 Jul 1999 21:16:39 -0700
Organization: OpenLDAP <http://www.openldap.org/>

I have put in place some additional ACL controls to allow you to
grant "auth" access to entries.  The new "auth" level is next
to lowest level (between "none" and "compare").  A bind now
check for "auth" access to "entry" and "userPassword/krbName".

This allows you to control exactly which entries can be bound
to.  Also, note, the connection is always considerred "anonymous"
during bind.  I've added a keyword "anonymous" as a short hand
for dn="^$".

WARNING: Previously slapd would allow any client to attempt to bind to
any entry regardless of what ACLs were in place.  As such,
you may need to add "by anonymous auth" who clauses to some
of your ACLs.

--disable-aclgroups is no longer an option.  Group ACLs are
now always available.

Example of use:

  defaultaccess none

  # person entries can be bound to using userPassword
  # (and person can modify their password)
  access to filter="objectclass=person" attr=userPassword
	by self write
	by anonymous auth
	by * none

  # No other userPassword access (hence only persons can
  # can be binds).
  access to attr=userPassword
	by * none

  # People can self write, People can bind, but nothing else.
  access to dn=".*,ou=People,dc=OpenLDAP,dc=Org"
	by self write
	by anonymous auth
	by * none

  # anonymous cannot see anything else, others can read.
  access to *
	by anonymous none
	by * read

Prev by Date: Building a backend.
Next by Date: RE: Building a backend.
Index(es):
- Chronological
- Thread