Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani <[email protected]>:
> Hello, > > I think I understand that default access for everything that does not > have any access rule is to allow read permission to everyone. All > other entries (that have some form of access rules) will have a > default of "access to * by * none" applied. I'd like instead to have > all defaults be no access. > > I have a directory that will be used for internal email processes and > also have a certain amount of public/anonymous access (but only to > chosen attributes). Due to the public/anonymous component, I'd like > to have default access rules be as restrictive as possible. > > Does it make sense to (do people commonly) set a global access of > "access to * by * none" and then open access up for individual > databases as desired? > > I'm thinking a global rule: > > access to * > by dn.base="cn=Manager,dc=example,dc=com" write > by * none > > Then each database will have to explicitly open access only as much > as needed. No, that is not the way ACL's work. [...] > > Any tips much appreciated. > man slapd.acess(5) and http://www.openldap.org/faq/data/cache/189.html -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
