[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access questions

Subject: Re: Access questions
From: Ori Bani <oribani@gmail.com>
Date: Wed, 16 Jan 2013 12:58:43 -0800
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:cc:content-type; bh=QuACQY75ApV4nU37rDv+un4UudYj0aZ4PHqxBglGR40=; b=hKQjrBvOzB7vJ7ZqEq4LFRamEMGTNTDNUp/35h5/RSeG8b1LEFnKVpVerAe43YRrzh +IzVQ5J/wdj0rw9RR8ooCNVkoMVEWawlO2wMntvRKnJ2AUtO/VbK0vHW0X/yUUb+m95g ud0soLGlalbSCo2dfxikxc9KIz45MsIBvDHrFdycGngavpVyZ1g+UOHfyH/RwEDGCSlP PCHbmaV6Qb+wswYWkw05vbCpK9VEVWNpwtKYWgbUApdjhhMoS8p+AvWs511QS/Xk+98e 0omwlUMyHXIymy/l5j3vBTyknjXz23hm2aCxzseikQyOirxEZftN/5DINkam4OKh9jeN lpeQ==
In-reply-to: <20130116081953.497a530b@rubin.avci.de>
References: <CALBCx2fQ0o+5-Qu=CMyGyiUEiaW36zWusny6xO4sQYEkKjNbpw@mail.gmail.com> <20130115072831.6c31d49c@rubin.avci.de> <CALBCx2cH9P-UXnSUPmdDYX91+WZ56L2WxFsAT7vHakWSr_ZvSA@mail.gmail.com> <20130115205230.0c67ad08@rubin.avci.de> <CALBCx2fZbK8cSx6oqHupbJ_x3OEFcU+SmT3aso69czg327QHUA@mail.gmail.com> <20130116081953.497a530b@rubin.avci.de>

>> >> >> I think I understand that default access for everything that
>> >> >> does not have any access rule is to allow read permission to
>> >> >> everyone. All other entries (that have some form of access
>> >> >> rules) will have a default of "access to * by * none" applied.
>> >> >> I'd like instead to have all defaults be no access.
>> >> >>
>> >> >> I have a directory that will be used for internal email
>> >> >> processes and also have a certain amount of public/anonymous
>> >> >> access (but only to chosen attributes).  Due to the
>> >> >> public/anonymous component, I'd like to have default access
>> >> >> rules be as restrictive as possible.
>> >> >>
>> >> >> Does it make sense to (do people commonly) set a global access
>> >> >> of "access to * by * none" and then open access up for
>> >> >> individual databases as desired?
>> >> >>
>> >> >> I'm thinking a global rule:
>> >> >>
>> >> >> access to *
>> >> >>      by dn.base="cn=Manager,dc=example,dc=com" write
>> >> >>      by * none
>> >> >>
>> >> >> Then each database will have to explicitly open access only as
>> >> >> much as needed.
>> >> >
>> >> > No, that is not the way ACL's work.
>> >>
>> >> The rules I suggested were a result of reading through all the
>> >> documentation. Can you please be more specific as to what part of
>> >> my suggestion is wrong-headed or will not work?
>> >>
>> >> Or can someone else give it a try?
>> >
>> > The most important sentence is:
>> > Access
>> >        control checking stops at the first match of the <what> and
>> > <who> clause, unless otherwise dictated by the <control> clause.
>> >
>> > According to your  rule set checking will stop at the first rule,
>> > that is " access to * by * none".
>>
>> That rule being a global rule, my understanding is that it gets
>> appended to rules that are specified for any one database. This is
>> redundant because any defined rules automatically have "access to * by
>> * none" appended to them.
>>
>> However, the reason I propose it is to ensure that any other access to
>> the LDAP server is denied in case some other database mistakenly
>> doesn't have rules, etc. -- just a secure fallback, a very common way
>> to approach publicly accessible systems as I'm sure you know.
>>
>> Does that clarify that part of my original inquiry?
>
> Just test it, as i mentionend,run slapd in debugging mode with acl
> parsing, or test with slapacl(8).

With due respect, if upon testing it does not work, my question still
remains - how can I make the default/global access rule to deny access
to everything for everyone?

I was also wondering if the rest of my rules made sense or not (see
first post in thread).

References:
- Access questions
  - From: Ori Bani <oribani@gmail.com>
- Re: Access questions
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Access questions
  - From: Ori Bani <oribani@gmail.com>
- Re: Access questions
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Access questions
  - From: Ori Bani <oribani@gmail.com>
- Re: Access questions
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: SHA-2 support
Next by Date: Re: SHA-2 support (was: Permissions, users, startup when install from source)
Index(es):
- Chronological
- Thread