Lloyd Zusman wrote:
OK. So what should it look like? Something like this, perhaps?
access to userPassword
by self write
by anonymous auth
by * read
"It" is not a single rule, it's a whole policy. When you're designing
ACIs for LDAP, it's typical to start with a rule that grants read access
to all attributes except for passwords to all users. Then grant write
access to "self" for the specific attributes you want them to be able to
write. (Except, of course, that OpenLDAP stops at the first match in
its config file, so you list these in reverse order)
The "Sample access control policy" present in the default OpenLDAP
slapd.conf is not suitable for real world use.
A fairly minimal, secure set of ACIs for OpenLDAP would look like this:
access to attr=userPassword
by self write
by anonymous auth
by * none
access to attr=loginShell,homePhone,mobile,pager
by self write
by * read
access to *
by * read
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
courier-users mailing list
[email protected]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
