[Date Prev][Date Next]
Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
-----BEGIN PGP SIGNED MESSAGE-----
Pierangelo Masarati wrote:
| This is another issue. please use the ITS if you think there's a bug.
| Note that this part of ACLs has been the subject of a debate recently;
| global scope ACLs are supposed to behave as they used to be from all
| times; only, they are evaluated AFTER those database specific; so if you
| have something like
| # ...
| access to attrs=userpassword
| by * =x
| database xxx
| # ...
| access to *
| by * read
| then of course the global rule will never be used. I'm positive
| the behavior didn't change; if it did, then it's an error and deserves
| an ITS.
Hmm, how about a configuration with a global ACL like:
# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
~ by self write
~ by dn="uid=root,ou=People,$2" write
~ by group="cn=Domain Controllers,ou=Group,$2" write
~ by anonymous auth
~ by * none
Then, a database definition like:
access to *
~ by dn.exact="uid=root,ou=People,dc=example,dc=com" write
~ by group="cn=Replicator,ou=Group,dc=example,dc=com" write
~ by * read
Now, if we have the final rule "by * read", then we aren't protecting
the password, and if we have "by * none", then we can't do anonymous
auth or let users change their passwords. Catch 22.
Global ACLs should (IMHO) be global ... otherwise they are useless (at
least if you have a replica).
If global ACLs are processed first, then they can be generic enough for
most purposes, and database-specific ACLs can tighten up the last bits.
But, if they are processed last, they are either used (with no
customisation available), or they aren't.
Maybe there are counter-arguments?
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----