[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: read access control is required.

To: "MS Cheung" <cheung_ms@hotmail.com>
Subject: Re: read access control is required.
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 25 May 2006 14:25:07 +0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <hbf.20060525y32m@bombur.uio.no>
References: <BAY111-F6AC84DDA2F989EA626E5D9C980@phx.gbl> <hbf.20060525y32m@bombur.uio.no>

I wrote:
>MS Cheung writes:
>> We would like to set up an access control to allow the mail server has
>> a read access to all the LDAP data; but the end users only have a read
>> access to their own personal data.  Would someone please help to
>> provide us an example of the ACL setup.
>
> (...)
> access to attrs=userPassword by * auth
> (...)
> access to * by dn.exact=cn=mailserver,dc=example,dc=com
>                peername.ip=11.22.33.44
>                read
>             by self read
>             by *    none

Um, that only allows direct lookup of the entires.
Maybe you only want to prevent access to account or person
entries, but allow unauthenticated access to other entries.
If so, the "access to *" should be something like
     access to filter=(objectClass=account)
or
     access to dn.children=ou=accounts,dc=example,dc=com
or whatever matches the entries you wish to regulate access to.

-- 
Hallvard

References:
- read access control is required.
  - From: "MS Cheung" <cheung_ms@hotmail.com>
- Re: read access control is required.
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: read access control is required.
Next by Date: Re: authPassword
Index(es):
- Chronological
- Thread