[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

Hash: SHA1

Ben Beuchler wrote:
> By the time we roll in our OS X, mail, and internal data, individual
> directory entries are getting quite large.  I would like to restrict
> anonymous queries to just retrieving a small subset of attributes (cn,
> displayName, mail, ou, etc.).
> Is there some method that would allow me to specify which attributes
> an anonymous user can see, and default to denying the rest?
> This is what I tried:
> -------------------
> # Let anonymous users read just the basic attributes
> access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> attrs=displayName,cn,mail
>         by self write
>         by anonymous read
>         by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
>         by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
>         by * none

Shouldn't the last line be (assuming these are the attributes you want
to be visible to anonymous users):
by * read

> #Let only accounts under bindAccts read the rest
> access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
>         by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
>         by anonymous search
>         by * none

Hmm, all bind accounts can read all attributes of any other users? Like
userPassword? Maybe not such a good idea.

> --------------------
> With that approach, anonymous users see nothing.

Yep ... because you haven't got an access rule for "anonymous" on the
first ACL, but you restrict everyone (including anonymous) to none.

>  If I comment out the
> second ACL, the query falls through to the list ACL in my config,
> which is:
> access to *
>        by <specific accounts> write
>        by * read

Your last ACL should probably not be "by * read" for what you want to
accomplish ...

Also, "by users" and "by self" may be useful to you ... so please read


- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng          RHCE (803004789010797),LPIC-1 (LPI000074592)
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org