Re: LDAP Crafted Search Request Access Allowed

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote:

> Based on the the  ACL's I posted from my configuration, what else can you
> recommend to include, tweak or modify?

As both Michael and Dieter have said, this is very dependent on your
site's requirements and policy. You need to work out what those are.
If you can answer these questions, we might be able to help you some more:

1)	Should an anonymous user be able to get any data at all?
	(Ignore the root entry: we are talking about the subtree
	under dc=domain,dc=com here)

2)	What classes of user should have access to the data?
	Examples might be:

		LDAP administrator
		Web applications
		Desktop addressbook users
		Webmail users
		Directory synchronisation processes

3)	For each of the above, what data (entries and attributes)
	do they need?

4)	How will the users authenticate to the LDAP service?
	i.e. Will the user DNs and passwords be configured into 
	the applications, or is the human user expected to supply
	a username and password each time?

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------