[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Blacklist

To: <richard.moon@netcentrica.com>
Subject: Re: ACL Blacklist
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 15 Jan 2004 13:37:07 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1074168816.3256.49.camel@rmlap>
References: <1074168816.3256.49.camel@rmlap>

> Could anyone give me advice on implementing blacklists, the following
> does not seem to work :
>
> access	to attr=userPassword
> 	by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
> 	by self read
> 	by * auth
>
> access 	to *
> 	by * read
>
>
> I'd like to replace
>
> by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
>
> with
>
> by group="ou=blacklist,ou=people,dc=mydomain,dc=com" none
>
> but I can't get the basics to work - I've seen postings on whitelist
> access for admin staff but nothing on denying access based on
> groupOfNames.

Blacklisting, AFAIK, is the same as whitelisting,
with access denied instead of allowed.

So, "by group=<blacklist dn> none" is fine.
I infer that your problem is in what the <blacklist dn>
contains, or how it is defined.  It must be an entry
of "groupOfNames" objectClass, and those DNs listed
in the "member" attribute will be given the access
privileges you set at the end of the "by" clause, in
your case "none".

see slapd.access(5) for a detailed description of the
access clauses, and be sure you read the manual related
to your software version (which you do not mention:
ACL syntax and sematics don't change very often,
but when they do do it can be a pain somewhere behind).

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: ACL Blacklist
  - From: Richard Moon <richard.moon@netcentrica.com>

References:
- ACL Blacklist
  - From: Richard Moon <richard.moon@netcentrica.com>

Prev by Date: ACL Blacklist
Next by Date: Re: please help me !!!
Index(es):
- Chronological
- Thread