[Date Prev][Date Next]
Re: Access questions
Am Tue, 15 Jan 2013 09:43:02 -0800
schrieb Ori Bani <firstname.lastname@example.org>:
> On Mon, Jan 14, 2013 at 10:28 PM, Dieter KlÃnter
> <email@example.com> wrote:
> > Am Mon, 14 Jan 2013 21:11:26 -0800
> > schrieb Ori Bani <firstname.lastname@example.org>:
> >> Hello,
> >> I think I understand that default access for everything that does
> >> not have any access rule is to allow read permission to everyone.
> >> All other entries (that have some form of access rules) will have a
> >> default of "access to * by * none" applied. I'd like instead to
> >> have all defaults be no access.
> >> I have a directory that will be used for internal email processes
> >> and also have a certain amount of public/anonymous access (but
> >> only to chosen attributes). Due to the public/anonymous
> >> component, I'd like to have default access rules be as restrictive
> >> as possible.
> >> Does it make sense to (do people commonly) set a global access of
> >> "access to * by * none" and then open access up for individual
> >> databases as desired?
> >> I'm thinking a global rule:
> >> access to *
> >> by dn.base="cn=Manager,dc=example,dc=com" write
> >> by * none
> >> Then each database will have to explicitly open access only as much
> >> as needed.
> > No, that is not the way ACL's work.
> The rules I suggested were a result of reading through all the
> documentation. Can you please be more specific as to what part of my
> suggestion is wrong-headed or will not work?
> Or can someone else give it a try?
The most important sentence is:
control checking stops at the first match of the <what> and
<who> clause, unless otherwise dictated by the <control> clause.
According to your rule set checking will stop at the first rule, that
is " access to * by * none".
In order to check your rule sets run slapd in debugging mode -d acl.
Dieter KlÃnter | Systemberatung
GPG Key ID:DA147B05