On 6/22/05, Buchan Milne <[EMAIL PROTECTED]> wrote: > > # Let anonymous users read just the basic attributes > > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu" > > attrs=displayName,cn,mail > > by self write > > by anonymous read > > by dn="cn=postfix,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read > > by dn="cn=barracuda,dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read > > by * none > > Shouldn't the last line be (assuming these are the attributes you want > to be visible to anonymous users): > by * read?
Possibly, but I'm not sure why; I explicitly allow anonymous binds to read earlier in the ACL. My understanding is the 'by *' clause catches only users not explicitly listed. I'll experiment with that. > > #Let only accounts under bindAccts read the rest > > access to dn.subtree="dc=users,dc=accounts,dc=ldap,dc=mcad,dc=edu" > > by dn.children="dc=bindAccts,dc=ldap,dc=mcad,dc=edu" read > > by anonymous search > > by * none > > Hmm, all bind accounts can read all attributes of any other users? Like > userPassword? Maybe not such a good idea. This isn't the full (or final) ACL. The first entry is the obligatory "no one can read userPassword" entry. And once I figure out how to deny all but specified attributes to anonymous users, I will tighten up the rest of the ACL. > > With that approach, anonymous users see nothing. > > Yep ... because you haven't got an access rule for "anonymous" on the > first ACL, but you restrict everyone (including anonymous) to none. Nope. If you look back at the 1st ACL, the second <by> clause allows anonymous to read. > > If I comment out the second ACL, the query falls through to the list ACL > > in my config, which is: > > > > access to * > > by <specific accounts> write > > by * read > > Your last ACL should probably not be "by * read" for what you want to > accomplish ... Only if I can't get the second ACL listed above to work. If I can get it to do what I want, anonymous users will stop there. > Also, "by users" and "by self" may be useful to you... Not really. As I stated earlier, I'm trying to restrict what *anonymous* users can see to an explicitly listed subset of the attributes in an entry. -Ben
