[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL questions



On Tuesday 11 July 2006 16:43, MT wrote:
> Okay, some how I kind of got it to work.  Here's my ACL's in order:
>
> access to dn.children="dc=cmcflex,dc=com"
> 	by users write
> 	by * auth

The above ACL seems a bit weird ... you probably want this 2nd-last.

>
> access to
> attrs="telephoneNumber","homePhone","homePostalAddress","userPassword"
> 	by users write
> 	by * auth

Move these attributes into their own ACL, so that you instead have:

access to
	attrs=userPassword
	by self write
 	by * auth

access to
	attrs=telephoneNumber,homePhone,homePostalAddress
 	by users write
 	by * read

> access to *
>         by anonymous read

You really don't want to mix ACLs for password attributes with other 
attributes you want to provide read access to. And, you probably don't want 
any authenticated user to be able to change the passwords of other users.

Finally, you may also consider using a group for the write ACLs, so that 
simply setting a password for a user doesn't compromise your ACLs.

Regards,
Buchan


-- 
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)

Attachment: pgphaYB7NQkqS.pgp
Description: PGP signature