[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls and restricting permissions

On Tue, 2 Dec 2008, Brett @Google wrote:

Hi All,

I was wondering how i go about giving LESS access than the default ACL rule.

Lets assume some default permissions set from the FAQ-o-matic :

access to attr=userpassword
   by self =xw
   by anonymous auth

 access to *
   by self write
   by users read

This allows the "standard user" to read all attributes, and write
thier own details.

Does it? I think it'll stop reads on userPassword, actually.

Assuming we add to the above a user that has LESS access than the default ie:

1> access to attr=c,o,ou,cn,sn,givenName,mail
2>    by dn.exact=cn=limited,dc=example,dc=com
3>    by * none (or break)

This literally wont work as intended, because even if the above does not match, the

7>  access to *
8>    by self write
9>    by users read

Will always give users read by default.

For one thing, don't you want a directive on the line I marked as #2?

Let's assume that you add "read". That point isn't limiting them from reading "mail" nor "givenName", the point is that you want to stop them from reading userPassword or secretAgentID or whatever.

So you need the best matching for "access to <whatever> attr=userPassword," which of course would be the clause starting with the line I marked as #7. You need a more explicit rule to stop them. So perhaps you'd add something along the lines of:

4	access to * attr=userPassword,secretAgentID
5		by dn.exact="cn=limited,dc=example,dc=com" none
6		by * break

Alternately, perhaps you want to make line 1 an affirmative list. In that case, just add #5 as #7.5, ignoring #4-6.