Am Tue, 15 Jan 2013 12:49:15 -0800 schrieb Ori Bani <[email protected]>:
> On Tue, Jan 15, 2013 at 11:52 AM, Dieter Klünter > <[email protected]> wrote: > > Am Tue, 15 Jan 2013 09:43:02 -0800 > > schrieb Ori Bani <[email protected]>: > > > >> On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter > >> <[email protected]> wrote: > >> > Am Mon, 14 Jan 2013 21:11:26 -0800 > >> > schrieb Ori Bani <[email protected]>: > >> > > >> >> Hello, > >> >> > >> >> I think I understand that default access for everything that > >> >> does not have any access rule is to allow read permission to > >> >> everyone. All other entries (that have some form of access > >> >> rules) will have a default of "access to * by * none" applied. > >> >> I'd like instead to have all defaults be no access. > >> >> > >> >> I have a directory that will be used for internal email > >> >> processes and also have a certain amount of public/anonymous > >> >> access (but only to chosen attributes). Due to the > >> >> public/anonymous component, I'd like to have default access > >> >> rules be as restrictive as possible. > >> >> > >> >> Does it make sense to (do people commonly) set a global access > >> >> of "access to * by * none" and then open access up for > >> >> individual databases as desired? > >> >> > >> >> I'm thinking a global rule: > >> >> > >> >> access to * > >> >> by dn.base="cn=Manager,dc=example,dc=com" write > >> >> by * none > >> >> > >> >> Then each database will have to explicitly open access only as > >> >> much as needed. > >> > > >> > No, that is not the way ACL's work. > >> > >> The rules I suggested were a result of reading through all the > >> documentation. Can you please be more specific as to what part of > >> my suggestion is wrong-headed or will not work? > >> > >> Or can someone else give it a try? > > > > The most important sentence is: > > Access > > control checking stops at the first match of the <what> and > > <who> clause, unless otherwise dictated by the <control> clause. > > > > According to your rule set checking will stop at the first rule, > > that is " access to * by * none". > > That rule being a global rule, my understanding is that it gets > appended to rules that are specified for any one database. This is > redundant because any defined rules automatically have "access to * by > * none" appended to them. > > However, the reason I propose it is to ensure that any other access to > the LDAP server is denied in case some other database mistakenly > doesn't have rules, etc. -- just a secure fallback, a very common way > to approach publicly accessible systems as I'm sure you know. > > Does that clarify that part of my original inquiry? Just test it, as i mentionend,run slapd in debugging mode with acl parsing, or test with slapacl(8). -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
