[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openLDAP Access Control mechanism
-----Original Message-----
From: Lim Swee Tat <limst@ncs.com.sg>
>Note the following. How many of you are currently using userpassword or
some
>other field in the server as the authentication means for binding a user.
I
>am. I'll like that only the user be able to authenticate him/herself and
write
>to it.
I do. Fairly simple to set up an ACL in the config to allow the directory
admin to have full access to any entry, and a user bound to a specific entry
to have write control over it. And, set defaults for anyone else. This is
done most simply by adding a userpassword attribute to each entry, and using
a simple_bind with the DN and password.
>
>But look then at the access control level??... I quote...
>Note that an access level implies all lesser access levels (eg. write
access
>implies read, search and compare).
>Now in the organization, I dun think in terms of deployment, read access
even
>to self is a good idea for allowing access to.
Read access to self is a good thing, otherwise a person can't review his
entry. And a directory that doesn't open read access to an audience isn't
much use. Unless the directory is to be used by servers or applications in
a hidden capacity, that is. Depends on your intended usage...
I did something like the following for a recent project:
=============
defaultaccess none
access to attr=userpassword
by self write
by dn="cn=Directory Manager,o=myroot" write
by * compare
access to *
by self write
by dn="cn=Directory Manager,o=myroot" write
by domain=.*\.mydomain\.com read
by domain=localhost read
by dn=".*,ou=users,o=myroot" read
by * none
==============