[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL or a default deny policy

To: openldap-software@openldap.org
Subject: ACL or a default deny policy
From: Olivier Nicole <on@cs.ait.ac.th>
Date: Mon, 4 Feb 2008 15:19:41 +0700 (ICT)

Hi,

I am implementing a directory with OPENLdap and I woul dlike that
anonymous users could only read ceratin attributes, while all other
attributes are accessible to authenticated users only.

# ACL 1: Data that the user can change and that the world can see
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" 
       attrs=sn,givenName
   by group="cn=groupadmin..." write
   by self write
   by * read

# ACL 2: Personnal data, that user can change and the world can not see
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" 
	attrs=gecos,description
   by group="cn=groupadmin..." write
   by self write
   by * none

# ACL 3: any attributes that is not explcitely allowed above is denied
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
   by group="cn=groupadmin..." write
   by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read
   by * none

But this is not working. If I do like this, anonymous search will see
nothing from the user.

I found out some where that the attribute objectClass should always be exposed, so I tried to add it in the ACL 1, but that is not working either, I must haave a last ACL of the form 


access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th"
   by group="cn=groupadmin..." write
   by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read
   by * read

and I don't see where my reasoning is getting wrong.

Thanks in advance,

Olivier

Follow-Ups:
- Re: ACL or a default deny policy
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: cn=config and cn=monitor questions
Next by Date: Re: cn=config and cn=monitor questions
Index(es):
- Chronological
- Thread