[Date Prev][Date Next]
Re: acls and restricting permissions
On Tue, 2 Dec 2008, Brett @Google wrote:
I was wondering how i go about giving LESS access than the default ACL rule.
Lets assume some default permissions set from the FAQ-o-matic :
access to attr=userpassword
by self =xw
by anonymous auth
access to *
by self write
by users read
This allows the "standard user" to read all attributes, and write
thier own details.
Does it? I think it'll stop reads on userPassword, actually.
Assuming we add to the above a user that has LESS access than the default ie:
1> access to attr=c,o,ou,cn,sn,givenName,mail
2> by dn.exact=cn=limited,dc=example,dc=com
3> by * none (or break)
This literally wont work as intended, because even if the above does
not match, the
7> access to *
8> by self write
9> by users read
Will always give users read by default.
For one thing, don't you want a directive on the line I marked as #2?
Let's assume that you add "read". That point isn't limiting them from
reading "mail" nor "givenName", the point is that you want to stop them
from reading userPassword or secretAgentID or whatever.
So you need the best matching for "access to <whatever>
attr=userPassword," which of course would be the clause starting with the
line I marked as #7. You need a more explicit rule to stop them. So
perhaps you'd add something along the lines of:
4 access to * attr=userPassword,secretAgentID
5 by dn.exact="cn=limited,dc=example,dc=com" none
6 by * break
Alternately, perhaps you want to make line 1 an affirmative list. In that
case, just add #5 as #7.5, ignoring #4-6.