[Date Prev][Date Next] [Chronological] [Thread] [Top]

Question to an ACL

To: openldap-technical@openldap.org
Subject: Question to an ACL
From: Andreas Rudat <rudat@endstelle.de>
Date: Fri, 18 Nov 2011 17:44:02 +0100
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0

Hi,

I'm trying to understand these acl's:

{0} to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
     by dn="cn=admin,dc=foo,dc=bar" write <--admin can read/write
     by anonymous auth <--anonyomous can auth
     by self  write  <--- object owner can read/write
     by * none <--all other users denied

{1}to dn.base=""
     by * read <-- all can read the root dc=foo, dc=bar
{2}to *
     by dn="cn=admin,dc=studsemi,dc=intern" write <--
     by * read

so with acl 0: users and admin can read/write passwords, all others can
do nothing with that
acl 1: ALL can read the root dc=foo,dc=bar
acl 2: all other attributes can be read by all others and only admin can
also modify all other attributes?

so if that is correct, then I think acl 1 isnt needed?

Thanks

Follow-Ups:
- Re: Question to an ACL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: Question to an ACL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: OpenLDAP SASL Passthrough
Next by Date: Re: Question to an ACL
Index(es):
- Chronological
- Thread