[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access questions

Subject: Re: Access questions
From: Ori Bani <oribani@gmail.com>
Date: Tue, 15 Jan 2013 09:43:02 -0800
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type:content-transfer-encoding; bh=4kTqUXkkhGrHUR5sCYpEKwR8j2Qxo71IsZUYz6nNiyI=; b=GYvhW3JpxpoKbqgb+THMcgx4JjoFAD4cbKW3NscHhF601q7w7hZs13tjsEmDkm5c5L IQI9ulZCuLpTWb0ihwJT5ZlevAatCtFTukNLL3z/+dz74zaXhdsbPlIXXHXfAuuClUa9 ndf8kmpntxotpNwRLqujL+O6MhPr3YVMPLCYNHhzCzKaBCmZ8n4XbB30BVBB8rPXP/HF GA7y9g4hqkkAZyGA6ZeZP74Zt164Z/DSGBuk8ID571baCoFfHNufGtidcdzAitV0FCa+ E0kxtA3PYzGiL3n7qD3ubXZTYlyMy9EaXgzBnojsXiGnFhtkWx4vcy/FpjSuEazYYjjd Lgwg==
In-reply-to: <20130115072831.6c31d49c@rubin.avci.de>
References: <CALBCx2fQ0o+5-Qu=CMyGyiUEiaW36zWusny6xO4sQYEkKjNbpw@mail.gmail.com> <20130115072831.6c31d49c@rubin.avci.de>

On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter <dieter@dkluenter.de> wrote:
> Am Mon, 14 Jan 2013 21:11:26 -0800
> schrieb Ori Bani <oribani@gmail.com>:
>
>> Hello,
>>
>> I think I understand that default access for everything that does not
>> have any access rule is to allow read permission to everyone.  All
>> other entries (that have some form of access rules) will have a
>> default of "access to * by * none" applied.  I'd like instead to have
>> all defaults be no access.
>>
>> I have a directory that will be used for internal email processes and
>> also have a certain amount of public/anonymous access (but only to
>> chosen attributes).  Due to the public/anonymous component, I'd like
>> to have default access rules be as restrictive as possible.
>>
>> Does it make sense to (do people commonly) set a global access of
>> "access to * by * none" and then open access up for individual
>> databases as desired?
>>
>> I'm thinking a global rule:
>>
>> access to *
>>      by dn.base="cn=Manager,dc=example,dc=com" write
>>      by * none
>>
>> Then each database will have to explicitly open access only as much
>> as needed.
>
> No, that is not the way ACL's work.

The rules I suggested were a result of reading through all the
documentation. Can you please be more specific as to what part of my
suggestion is wrong-headed or will not work?

Or can someone else give it a try?

Follow-Ups:
- Re: Access questions
  - From: Dieter KlÃnter <dieter@dkluenter.de>

References:
- Access questions
  - From: Ori Bani <oribani@gmail.com>
- Re: Access questions
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Fwd: adding support to mdb
Next by Date: Re: Replication not working
Index(es):
- Chronological
- Thread