[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control

On 6/22/05, Buchan Milne <bgmilne@obsidian.co.za> wrote:

> > # Let anonymous users read just the basic attributes
> > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> > attrs=displayName,cn,mail
> >         by self write
> >         by anonymous read
> >         by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> >         by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> >         by * none
> Shouldn't the last line be (assuming these are the attributes you want
> to be visible to anonymous users):
> by * read?

Possibly, but I'm not sure why; I explicitly allow anonymous binds to
read earlier in the ACL.  My understanding is the 'by *' clause
catches only users not explicitly listed.  I'll experiment with that.

> > #Let only accounts under bindAccts read the rest
> > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu"
> >         by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read
> >         by anonymous search
> >         by * none
> Hmm, all bind accounts can read all attributes of any other users? Like
> userPassword? Maybe not such a good idea.

This isn't the full (or final) ACL.  The first entry is the obligatory
"no one can read userPassword" entry.  And once I figure out how to
deny all but specified attributes to anonymous users, I will tighten
up the rest of the ACL.

> > With that approach, anonymous users see nothing.
> Yep ... because you haven't got an access rule for "anonymous" on the
> first ACL, but you restrict everyone (including anonymous) to none.

Nope.  If you look back at the 1st ACL, the second <by> clause allows
anonymous to read.

> > If I comment out the second ACL, the query falls through to the list ACL
> > in my config, which is:
> >
> > access to *
> >        by <specific accounts> write
> >        by * read
> Your last ACL should probably not be "by * read" for what you want to
> accomplish ...

Only if I can't get the second ACL listed above to work.  If I can get
it to do what I want, anonymous users will stop there.

> Also, "by users" and "by self" may be useful to you...

Not really.  As I stated earlier, I'm trying to restrict what
*anonymous* users can see to an explicitly listed subset of the
attributes in an entry.