[Date Prev][Date Next]
Re: Apologies - ACL question
"Kurt D. Zeilenga" wrote:
> At 11:55 AM 6/15/00 -0400, Michael Thomas wrote:
> > => access_allowed: exit (firstname.lastname@example.org, ou=Employees, dc=foo,
> >dc=com) attr (entry)
> >acl: access to entry not allowed
> You did not grant access to the entry psuedo attribute.
> You likely should make the following changes:
> >defaultaccess none
> >access to attr=userPassword
> > by self write
> > by dn="cn=Administrator,dc=foo,dc=com" write
> > by dn="^$$" compare
> > by * none
> not sure why you grant anonymous uses the right to
> compare userPassword values. Seems quite inappropriate
> (and not needed for authentication).
Thought it was required after reading some random info. Since removed
> >access to attr=mail
> > by dn=".*,ou=Employees,dc=foo,dc=com" write
> > by dn="^$$" search
> > by * none
> You grant anonymous ability to search by mail and
> uid, but not permission to read mail and uid.
> Read is need if you desire to have these values
Netscape asks you for your e-mail, then searches for the DN containing
that e-mail, then
authenticates you based on that DN. I didn't grant read because I don't
think anonymous needs to read the attribute.
> access to attr=entry
> by self write
> by dn="cn=Administrator,dc=foo,dc=com" write
> by dn=".*,ou=Employees,dc=foo,dc=com" write
> by dn="^$$" read
> by * none
What does granting anonymous read to entry mean? Can any anonymously
bound users obtain the DN's for all entries this way?