On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter <[email protected]> wrote: > Am Mon, 14 Jan 2013 21:11:26 -0800 > schrieb Ori Bani <[email protected]>: > >> Hello, >> >> I think I understand that default access for everything that does not >> have any access rule is to allow read permission to everyone. All >> other entries (that have some form of access rules) will have a >> default of "access to * by * none" applied. I'd like instead to have >> all defaults be no access. >> >> I have a directory that will be used for internal email processes and >> also have a certain amount of public/anonymous access (but only to >> chosen attributes). Due to the public/anonymous component, I'd like >> to have default access rules be as restrictive as possible. >> >> Does it make sense to (do people commonly) set a global access of >> "access to * by * none" and then open access up for individual >> databases as desired? >> >> I'm thinking a global rule: >> >> access to * >> by dn.base="cn=Manager,dc=example,dc=com" write >> by * none >> >> Then each database will have to explicitly open access only as much >> as needed. > > No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the documentation. Can you please be more specific as to what part of my suggestion is wrong-headed or will not work? Or can someone else give it a try?
