[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access questions



Am Tue, 15 Jan 2013 12:49:15 -0800
schrieb Ori Bani <oribani@gmail.com>:

> On Tue, Jan 15, 2013 at 11:52 AM, Dieter KlÃnter
> <dieter@dkluenter.de> wrote:
> > Am Tue, 15 Jan 2013 09:43:02 -0800
> > schrieb Ori Bani <oribani@gmail.com>:
> >
> >> On Mon, Jan 14, 2013 at 10:28 PM, Dieter KlÃnter
> >> <dieter@dkluenter.de> wrote:
> >> > Am Mon, 14 Jan 2013 21:11:26 -0800
> >> > schrieb Ori Bani <oribani@gmail.com>:
> >> >
> >> >> Hello,
> >> >>
> >> >> I think I understand that default access for everything that
> >> >> does not have any access rule is to allow read permission to
> >> >> everyone. All other entries (that have some form of access
> >> >> rules) will have a default of "access to * by * none" applied.
> >> >> I'd like instead to have all defaults be no access.
> >> >>
> >> >> I have a directory that will be used for internal email
> >> >> processes and also have a certain amount of public/anonymous
> >> >> access (but only to chosen attributes).  Due to the
> >> >> public/anonymous component, I'd like to have default access
> >> >> rules be as restrictive as possible.
> >> >>
> >> >> Does it make sense to (do people commonly) set a global access
> >> >> of "access to * by * none" and then open access up for
> >> >> individual databases as desired?
> >> >>
> >> >> I'm thinking a global rule:
> >> >>
> >> >> access to *
> >> >>      by dn.base="cn=Manager,dc=example,dc=com" write
> >> >>      by * none
> >> >>
> >> >> Then each database will have to explicitly open access only as
> >> >> much as needed.
> >> >
> >> > No, that is not the way ACL's work.
> >>
> >> The rules I suggested were a result of reading through all the
> >> documentation. Can you please be more specific as to what part of
> >> my suggestion is wrong-headed or will not work?
> >>
> >> Or can someone else give it a try?
> >
> > The most important sentence is:
> > Access
> >        control checking stops at the first match of the <what> and
> > <who> clause, unless otherwise dictated by the <control> clause.
> >
> > According to your  rule set checking will stop at the first rule,
> > that is " access to * by * none".
> 
> That rule being a global rule, my understanding is that it gets
> appended to rules that are specified for any one database. This is
> redundant because any defined rules automatically have "access to * by
> * none" appended to them.
> 
> However, the reason I propose it is to ensure that any other access to
> the LDAP server is denied in case some other database mistakenly
> doesn't have rules, etc. -- just a secure fallback, a very common way
> to approach publicly accessible systems as I'm sure you know.
> 
> Does that clarify that part of my original inquiry?

Just test it, as i mentionend,run slapd in debugging mode with acl
parsing, or test with slapacl(8).

-Dieter 

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E