Am Tue, 15 Jan 2013 09:43:02 -0800 schrieb Ori Bani <[email protected]>:
> On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter > <[email protected]> wrote: > > Am Mon, 14 Jan 2013 21:11:26 -0800 > > schrieb Ori Bani <[email protected]>: > > > >> Hello, > >> > >> I think I understand that default access for everything that does > >> not have any access rule is to allow read permission to everyone. > >> All other entries (that have some form of access rules) will have a > >> default of "access to * by * none" applied. I'd like instead to > >> have all defaults be no access. > >> > >> I have a directory that will be used for internal email processes > >> and also have a certain amount of public/anonymous access (but > >> only to chosen attributes). Due to the public/anonymous > >> component, I'd like to have default access rules be as restrictive > >> as possible. > >> > >> Does it make sense to (do people commonly) set a global access of > >> "access to * by * none" and then open access up for individual > >> databases as desired? > >> > >> I'm thinking a global rule: > >> > >> access to * > >> by dn.base="cn=Manager,dc=example,dc=com" write > >> by * none > >> > >> Then each database will have to explicitly open access only as much > >> as needed. > > > > No, that is not the way ACL's work. > > The rules I suggested were a result of reading through all the > documentation. Can you please be more specific as to what part of my > suggestion is wrong-headed or will not work? > > Or can someone else give it a try? The most important sentence is: Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause. According to your rule set checking will stop at the first rule, that is " access to * by * none". In order to check your rule sets run slapd in debugging mode -d acl. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
