[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: yet another ACL question



On Fri, 2003-09-12 at 10:35, suomi hasler wrote:
> Hi Brian

Hi Suomi,

> if you prohibit base read access to the directory (in your last ACL "by 
> * none"),  you prohibit access to the schema and basic DIT information 
> like e.g. namingContext.

Indeed.  This is what I had gathered.  I was hoping my query here would
yield some help in determining what "minimum" amount of read access I
had to allow in order to allow access to that information.

I prefer to not try to lock down information as it's added to the
directory, but rather open it up as required.  The former is prone to
security/information leaks.  The latter is just broken functionality
with regard to new information until it is corrected.  Fail-safe as it
were.

It seems there is some information, protectable by ACLs that
applications can read from the database that is not obvious to a
directory administrator.  I was hoping somebody would shed light on that
aspect.

So I guess the question remains (to all, not you specifically), other
than the root DSE, what else in terms of entries other than the entries
I add to the database, do I need to give a user read access to so that
clients such at GQ work properly?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell

Attachment: signature.asc
Description: This is a digitally signed message part