[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Don't permit access for anonymous user...

At 06:35 PM 1/24/00 +0100, lamothe wrote: 
>It (2.0 ACL) is not permit in OpenLDAP 1.x 

Yes.  2.0 ACLs provide extensions which are not in 1.x.

The 2.0 anonymous key word can be replaced with dn="".
The "auth" access level should be replaced with "none" as
none implies auth in 1.x.

>I though to do something like: 
>        access to attr=userpasswd,entry 
>            by self            write 
>            by *                 compare

In 1.x, no ACL limit authentication.  And it wouldn't
be terrible wise to grant everyone (including anonymous)
and permissions to compare password values.

I suggest you start with:

	default	none

	access to attr=userpassword
		by self write
		by * none

	access to *
		by self write
		by dn=".+" read
		by * none
This will allow users to write their entries and change
their passwords.  It allows authenticated users to search
by attribute (other than userPassword) and obtain results
for any and all entries (less the userPassword attribute).

> access to dn=".* , dc=mycompagny, dc=com" 
>        by dn=".*, dc=mycompagny, dc=com"    search 

I'd be surprised if that matched anything due to extra white space.
DN regex must be written to match normalized DNs.

> If i try to conect as anonymous: ldapsearch return nothing so that's good! 

You allowed anonymous compare of userPassword which is not good.

> If i try to connect as rootdn: ldapsearch return all the entries so that's OK 

The root dn is immune to ACLs.

>If i try to connect as a dn with the good passwd:
>i have only the access on the user entry (with all attributes)
>but i don't have permission to all the entries!!!! 

because you didn't grant that permission.  Even if your last rule
did work, it only granted search.  I assume your default access
is "read" which is what allowed you to read the entries.


Review the archives of this list for numerous examples.
I've added a few hints to the FAQ as well.