[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question to an ACL

Andreas Rudat writes:
> I'm trying to understand these acl's:
> {0} to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword
>      by dn="cn=admin,dc=foo,dc=bar" write <--admin can read/write
>      by anonymous auth <--anonyomous can auth
>      by self  write  <--- object owner can read/write
>      by * none <--all other users denied
> {1}to dn.base=""
>      by * read <-- all can read the root dc=foo, dc=bar
> {2}to *
>      by dn="cn=admin,dc=studsemi,dc=intern" write <--
>      by * read
> so with acl 0: users and admin can read/write passwords, all others can
> do nothing with that

Yup.  At our site we don't make userPassword readable or searchable by
anyone except the rootdn.  I.e. we use '=w' instead of 'write'.  Or
'=wx' just in case there are some slapd featues that can use it for

> acl 1: ALL can read the root dc=foo,dc=bar

No, all can read entry "".  Unless you mistyped dn.base="dc=foo,dc=bar".
DN "" is not part of any database.  It refers to the root DSE, a
read-only entry describing the server.  If you have a database with
suffix "", the ACL also affects add/delete of entries below that (the
pseudo-attribute "children") and non-baseobject searches from DN "".

> acl 2: all other attributes can be read by all others and only admin can
> also modify all other attributes?
> so if that is correct, then I think acl 1 isnt needed?

Probably.  Its effect here is to prevent ACL 2 for DN "", i.e. it
prevents admin write access for that DN, which makes no difference
except in a database with suffix "".