[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: access and filters

To: <OpenLDAP-software@OpenLDAP.org>
Subject: RE: access and filters
From: "Rosser Schwarz" <rschwarz@totalcardinc.com>
Date: Fri, 26 Dec 2003 14:11:16 -0600
Importance: Normal
In-reply-to: <6.0.0.22.0.20031224191944.027117e8@127.0.0.1>

while you weren't looking, Kurt D. Zeilenga (Kurt@OpenLDAP.org) wrote:

[...]

> Before you write any ACLs, you should write down what
> your desired access policy.

I kind-of had; I think the problem is more in my English to OpenLDAP
ACL translation skills...

> From what you've said here, your desired policy is something like:
>     a) allow anonymous users to search for authentication
>     identity (but not read entry contents)
>     b) allow authentication using identity and password
>     c) allow authenticated users read access to everything
>     except passwords
>     d) allow users to update their object
>     e) allow managers to update anything and everything

Other than that authenticated users should only be able to read their
own object, on the nose.  Since they'll never directly interact with
LDAP, however, and are instead mediated through a PHP script their
login process calls, this works well enough as is.  I can always go
back and tighten things down later.

Many thanks, Kurt.  My directory works as desired now.

Cheers,

/rls

--
Rosser Schwarz
Total Card, Inc.

References:
- Re: access and filters
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: attribute type undefined
Next by Date: Authenticate Linux users securely using Active Directory (W2K)
Index(es):
- Chronological
- Thread