[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Blacklist

To: <richard.moon@netcentrica.com>
Subject: Re: ACL Blacklist
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 15 Jan 2004 14:41:26 +0100 (CET)
Cc: <ando@sys-net.it>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1074172960.3256.78.camel@rmlap>
References: <1074168816.3256.49.camel@rmlap> <65071.81.72.89.40.1074170227.squirrel@webmail.sys-net.it> <1074172960.3256.78.camel@rmlap>

> Thanks for the prompt reply, my version of openldap is 2.1.25 - I'm
> using groupOfNames and the entry
>
>
> access	to attr=userPassword
> 	by
> group/groupOfNames/member="cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com"
> none
> 	by users read
> 	by * auth
>
> access 	to *
> 	by * read

I think I had some ham slices on my eyes: the "by group=<> none
does not mathc, because before bind takes place, your user has
no identity.  But the "by * none" matches it, so it gets read
permission on the password as well!  You can't inhibit bind
(how could your DSA be of any use, otherwise?), simply use
"by group=<> none" to everything else, e.g.

access to attrs=userPassword
    by * auth

access to *
    by group=<blacklist dn> none
    by users read
    by * none

note the "by users read"; if you simply do "by * read", then unbound
users would have read privileges, while bound users in blacklist
would not.  I guess the first thing blacklisted user would do is not
to auth any more!

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- ACL Blacklist
  - From: Richard Moon <richard.moon@netcentrica.com>
- Re: ACL Blacklist
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ACL Blacklist
  - From: Richard Moon <richard.moon@netcentrica.com>

Prev by Date: Re: sql-backend
Next by Date: Re: please help me !!!
Index(es):
- Chronological
- Thread