Re: acls and restricting permissions

[Aaron Richton <richton@nbcs.rutgers.edu>]

On Tue, 2 Dec 2008, Brett @Google wrote:

> Hi All,
>
> I was wondering how i go about giving LESS access than the default ACL rule.
>
> Lets assume some default permissions set from the FAQ-o-matic :
>
> access to attr=userpassword
>    by self =xw
>    by anonymous auth
>
>  access to *
>    by self write
>    by users read
>
> This allows the "standard user" to read all attributes, and write
> thier own details.

Does it? I think it'll stop reads on userPassword, actually.

> Assuming we add to the above a user that has LESS access than the default ie:
1> access to attr=c,o,ou,cn,sn,givenName,mail
2>    by dn.exact=cn=limited,dc=example,dc=com
3>    by * none (or break)
> This literally wont work as intended, because even if the above does
> not match, the
7>  access to *
8>    by self write
9>    by users read
> Will always give users read by default.

For one thing, don't you want a directive on the line I marked as #2?

Let's assume that you add "read". That point isn't limiting them from 
reading "mail" nor "givenName", the point is that you want to stop them 
from reading userPassword or secretAgentID or whatever.

So you need the best matching for "access to <whatever> 
attr=userPassword," which of course would be the clause starting with the 
line I marked as #7. You need a more explicit rule to stop them. So 
perhaps you'd add something along the lines of:

4	access to * attr=userPassword,secretAgentID
5		by dn.exact="cn=limited,dc=example,dc=com" none
6		by * break

Alternately, perhaps you want to make line 1 an affirmative list. In that 
case, just add #5 as #7.5, ignoring #4-6.