On Tue, Jan 15, 2013 at 11:52 AM, Dieter Klünter <[email protected]> wrote: > Am Tue, 15 Jan 2013 09:43:02 -0800 > schrieb Ori Bani <[email protected]>: > >> On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter >> <[email protected]> wrote: >> > Am Mon, 14 Jan 2013 21:11:26 -0800 >> > schrieb Ori Bani <[email protected]>: >> > >> >> Hello, >> >> >> >> I think I understand that default access for everything that does >> >> not have any access rule is to allow read permission to everyone. >> >> All other entries (that have some form of access rules) will have a >> >> default of "access to * by * none" applied. I'd like instead to >> >> have all defaults be no access. >> >> >> >> I have a directory that will be used for internal email processes >> >> and also have a certain amount of public/anonymous access (but >> >> only to chosen attributes). Due to the public/anonymous >> >> component, I'd like to have default access rules be as restrictive >> >> as possible. >> >> >> >> Does it make sense to (do people commonly) set a global access of >> >> "access to * by * none" and then open access up for individual >> >> databases as desired? >> >> >> >> I'm thinking a global rule: >> >> >> >> access to * >> >> by dn.base="cn=Manager,dc=example,dc=com" write >> >> by * none >> >> >> >> Then each database will have to explicitly open access only as much >> >> as needed. >> > >> > No, that is not the way ACL's work. >> >> The rules I suggested were a result of reading through all the >> documentation. Can you please be more specific as to what part of my >> suggestion is wrong-headed or will not work? >> >> Or can someone else give it a try? > > The most important sentence is: > Access > control checking stops at the first match of the <what> and > <who> clause, unless otherwise dictated by the <control> clause. > > According to your rule set checking will stop at the first rule, that > is " access to * by * none".
That rule being a global rule, my understanding is that it gets appended to rules that are specified for any one database. This is redundant because any defined rules automatically have "access to * by * none" appended to them. However, the reason I propose it is to ensure that any other access to the LDAP server is denied in case some other database mistakenly doesn't have rules, etc. -- just a secure fallback, a very common way to approach publicly accessible systems as I'm sure you know. Does that clarify that part of my original inquiry?
