[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access questions



On Tue, Jan 15, 2013 at 11:52 AM, Dieter Klünter <dieter@dkluenter.de> wrote:
> Am Tue, 15 Jan 2013 09:43:02 -0800
> schrieb Ori Bani <oribani@gmail.com>:
>
>> On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter
>> <dieter@dkluenter.de> wrote:
>> > Am Mon, 14 Jan 2013 21:11:26 -0800
>> > schrieb Ori Bani <oribani@gmail.com>:
>> >
>> >> Hello,
>> >>
>> >> I think I understand that default access for everything that does
>> >> not have any access rule is to allow read permission to everyone.
>> >> All other entries (that have some form of access rules) will have a
>> >> default of "access to * by * none" applied.  I'd like instead to
>> >> have all defaults be no access.
>> >>
>> >> I have a directory that will be used for internal email processes
>> >> and also have a certain amount of public/anonymous access (but
>> >> only to chosen attributes).  Due to the public/anonymous
>> >> component, I'd like to have default access rules be as restrictive
>> >> as possible.
>> >>
>> >> Does it make sense to (do people commonly) set a global access of
>> >> "access to * by * none" and then open access up for individual
>> >> databases as desired?
>> >>
>> >> I'm thinking a global rule:
>> >>
>> >> access to *
>> >>      by dn.base="cn=Manager,dc=example,dc=com" write
>> >>      by * none
>> >>
>> >> Then each database will have to explicitly open access only as much
>> >> as needed.
>> >
>> > No, that is not the way ACL's work.
>>
>> The rules I suggested were a result of reading through all the
>> documentation. Can you please be more specific as to what part of my
>> suggestion is wrong-headed or will not work?
>>
>> Or can someone else give it a try?
>
> The most important sentence is:
> Access
>        control checking stops at the first match of the <what> and
> <who> clause, unless otherwise dictated by the <control> clause.
>
> According to your  rule set checking will stop at the first rule, that
> is " access to * by * none".

That rule being a global rule, my understanding is that it gets
appended to rules that are specified for any one database. This is
redundant because any defined rules automatically have "access to * by
* none" appended to them.

However, the reason I propose it is to ensure that any other access to
the LDAP server is denied in case some other database mistakenly
doesn't have rules, etc. -- just a secure fallback, a very common way
to approach publicly accessible systems as I'm sure you know.

Does that clarify that part of my original inquiry?