[Date Prev][Date Next]
Re: Access questions
On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter <firstname.lastname@example.org> wrote:
> Am Mon, 14 Jan 2013 21:11:26 -0800
> schrieb Ori Bani <email@example.com>:
>> I think I understand that default access for everything that does not
>> have any access rule is to allow read permission to everyone. All
>> other entries (that have some form of access rules) will have a
>> default of "access to * by * none" applied. I'd like instead to have
>> all defaults be no access.
>> I have a directory that will be used for internal email processes and
>> also have a certain amount of public/anonymous access (but only to
>> chosen attributes). Due to the public/anonymous component, I'd like
>> to have default access rules be as restrictive as possible.
>> Does it make sense to (do people commonly) set a global access of
>> "access to * by * none" and then open access up for individual
>> databases as desired?
>> I'm thinking a global rule:
>> access to *
>> by dn.base="cn=Manager,dc=example,dc=com" write
>> by * none
>> Then each database will have to explicitly open access only as much
>> as needed.
> No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the
documentation. Can you please be more specific as to what part of my
suggestion is wrong-headed or will not work?
Or can someone else give it a try?