[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access control
- To: openldap-software@OpenLDAP.org
- Subject: Access control
- From: Ben Beuchler <insyte@gmail.com>
- Date: Tue, 21 Jun 2005 16:19:20 -0500
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=g9PBq6h0QA0Y68FUY1uup8FOg4FqJWt3EG/A8wVzgdGsKdJTB8e25ejzTcFIMYKopm94ttkS8eaJpz9Vvb6U4y3xjrtq4h8UXSv85+eSvenbT6+zBo8xf6VlCkqRsYyFH56bhAvdBIUUXHoRp4hf+edyjunYLKKvvPWK+X4Hh2Y=
By the time we roll in our OS X, mail, and internal data, individual
directory entries are getting quite large. I would like to restrict
anonymous queries to just retrieving a small subset of attributes (cn,
displayName, mail, ou, etc.).
Is there some method that would allow me to specify which attributes
an anonymous user can see, and default to denying the rest?
This is what I tried:
-------------------
# Let anonymous users read just the basic attributes
access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
attrs=displayName,cn,mail
by self write
by anonymous read
by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
by * none
#Let only accounts under bindAccts read the rest
access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
by anonymous search
by * none
--------------------
With that approach, anonymous users see nothing. If I comment out the
second ACL, the query falls through to the list ACL in my config,
which is:
access to *
by <specific accounts> write
by * read
Thanks for any insight!
-Ben