>> >> >> I think I understand that default access for everything that >> >> >> does not have any access rule is to allow read permission to >> >> >> everyone. All other entries (that have some form of access >> >> >> rules) will have a default of "access to * by * none" applied. >> >> >> I'd like instead to have all defaults be no access. >> >> >> >> >> >> I have a directory that will be used for internal email >> >> >> processes and also have a certain amount of public/anonymous >> >> >> access (but only to chosen attributes). Due to the >> >> >> public/anonymous component, I'd like to have default access >> >> >> rules be as restrictive as possible. >> >> >> >> >> >> Does it make sense to (do people commonly) set a global access >> >> >> of "access to * by * none" and then open access up for >> >> >> individual databases as desired? >> >> >> >> >> >> I'm thinking a global rule: >> >> >> >> >> >> access to * >> >> >> by dn.base="cn=Manager,dc=example,dc=com" write >> >> >> by * none >> >> >> >> >> >> Then each database will have to explicitly open access only as >> >> >> much as needed. >> >> > >> >> > No, that is not the way ACL's work. >> >> >> >> The rules I suggested were a result of reading through all the >> >> documentation. Can you please be more specific as to what part of >> >> my suggestion is wrong-headed or will not work? >> >> >> >> Or can someone else give it a try? >> > >> > The most important sentence is: >> > Access >> > control checking stops at the first match of the <what> and >> > <who> clause, unless otherwise dictated by the <control> clause. >> > >> > According to your rule set checking will stop at the first rule, >> > that is " access to * by * none". >> >> That rule being a global rule, my understanding is that it gets >> appended to rules that are specified for any one database. This is >> redundant because any defined rules automatically have "access to * by >> * none" appended to them. >> >> However, the reason I propose it is to ensure that any other access to >> the LDAP server is denied in case some other database mistakenly >> doesn't have rules, etc. -- just a secure fallback, a very common way >> to approach publicly accessible systems as I'm sure you know. >> >> Does that clarify that part of my original inquiry? > > Just test it, as i mentionend,run slapd in debugging mode with acl > parsing, or test with slapacl(8).
With due respect, if upon testing it does not work, my question still remains - how can I make the default/global access rule to deny access to everything for everyone? I was also wondering if the rest of my rules made sense or not (see first post in thread).
