[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs by netgroup?

[please keep replies on the list]

> Thanks again for getting back to me.  I am still working through your
> suggestion.  Just replying to you to clarify something:
> The ACL I am currently using for my attr=userPassword came from the
> openldap
> admin guide, here:
> http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control
> However, you mentioned the ACL is incorrect.  Other than the ordering, I
> don't
> see a difference.  Am I missing something? If it is the ordering, I
> apologize
> for asking twice...but I must really be missing something.
> mine:
>    access to attr=userPassword
>         by self write
>         by dn.base="cn=Manager,dc=example,dc=com" write
>         by anonymous auth
>         by * none
> from the admin guide:
>  24.    access to attr=userPassword
>  25.            by self write
>  26.            by anonymous auth
>  27.            by dn.base="cn=Admin,dc=example,dc=com" write
>  28.            by * none

>> This ACL is incorrect, as indicated everywhere in the documentation, if
>> by "ldap manager" you mean the "rootdn"; a correct one would be
>> access to attr=userPassword
>>         by self write
>>         by anonymous auth

Whn I said "incorrect" i meant something like "unnecessarily redundant";
compare mine with yours: you added two lines that are unnecessary and may
cause performance penalty.  As clearly stated in the slapd.access(5) man
page and in the example slapd.conf that comes with the distribution, it is
useless to add rules that grant permissions to the rootdn, because the
rootdn bypasses access control (otherwise there would be little use for
the rootdn itself); however, the rest of access control has to go thru
comparing with that useless "by" clause all times.  The "by * none" is a
no go, because it's the default.  You can add it as a reminder, but again,
you're wasting resources.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it