[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access questions
- To: openldap-technical@openldap.org
- Subject: Access questions
- From: Ori Bani <oribani@gmail.com>
- Date: Mon, 14 Jan 2013 21:11:26 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=TZ3rEK8DFzinNODIkSKh67giVm7z1146KHNzQAZsbPI=; b=PtVo7shSJjTVAfuN7S4rQIKVj4r6u0OJTnL3GAHirLMAW+7bcSHJxl0THebEyCDmub amurSebQZDRCajMyfuiMy6eWyC1i94LbJXI4hkS5IM7SEvVRwV7ZgG+C8/6NvDjgKGAB xwnqRyPkrKTHjEtN87Cz8I8IpyfjFiLW+1x8Qtsng1vMZ2e5vh4jFS4DaCLc0XHopx5L ORbGqFkBk8R0q23pOdB4gYdSj/EITa6tIB/Hznav6LtC4D1cqkp4NI3o6rhz0LBfSSsH 4EsePl5N68AjVBq5eKLF9JSLIrqflNatxSXPXJKkUn1Up4KEiL8TvQ6reRn27VoHOmFb l6ug==
Hello,
I think I understand that default access for everything that does not
have any access rule is to allow read permission to everyone. All
other entries (that have some form of access rules) will have a
default of "access to * by * none" applied. I'd like instead to have
all defaults be no access.
I have a directory that will be used for internal email processes and
also have a certain amount of public/anonymous access (but only to
chosen attributes). Due to the public/anonymous component, I'd like
to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of
"access to * by * none" and then open access up for individual
databases as desired?
I'm thinking a global rule:
access to *
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
Then each database will have to explicitly open access only as much as needed.
The following would be in the database that uses the suffix for
dc=example,dc=com
Passwords for auth only, only admin can change passwords:
access to attrs=userPassword
by dn.base="cn=Manager,dc=example,dc=com" write
by anonymous auth
by * none
Attributes needed by email delivery software only visible to the entry itself:
access to attrs=mailMessageStore,homeDirectory,uidNumber,gidNumber
by dn.base="cn=Manager,dc=example,dc=com" write
by self read
by * none
Publicly available attributes defined explicitly:
access to attrs=mail,jpegPhoto
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
Nothing else can be seen by anyone except the admin:
access to *
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
In this scenario, cn is used to identify entries when searching but as
you see, that attribute is forbidden to anonymous. Is that a problem
or is it OK to allow query against cn while still disallowing cn in
the results?
I guess I'd also add this within this database's context, but I have
to do it above the other rules I just listed?
access to dn.base="cn=Manager,dc=example,dc=com"
by peername.ip=127.0.0.1 auth
by peername.ip=192.168.0.0%255.255.255.0 auth
by * none
Any tips much appreciated.