On Tue, 2 Dec 2008, Brett @Google wrote:
Hi All,
I was wondering how i go about giving LESS access than the default ACL rule.
Lets assume some default permissions set from the FAQ-o-matic :
access to attr=userpassword by self =xw by anonymous auth
access to * by self write by users read
This allows the "standard user" to read all attributes, and write thier own details.
Does it? I think it'll stop reads on userPassword, actually.
Assuming we add to the above a user that has LESS access than the default ie:
1> access to attr=c,o,ou,cn,sn,givenName,mail 2> by dn.exact=cn=limited,dc=example,dc=com 3> by * none (or break)
This literally wont work as intended, because even if the above does not match, the
7> access to * 8> by self write 9> by users read
Will always give users read by default.
For one thing, don't you want a directive on the line I marked as #2?
Let's assume that you add "read". That point isn't limiting them from reading "mail" nor "givenName", the point is that you want to stop them from reading userPassword or secretAgentID or whatever.
So you need the best matching for "access to <whatever> attr=userPassword," which of course would be the clause starting with the line I marked as #7. You need a more explicit rule to stop them. So perhaps you'd add something along the lines of:
4 access to * attr=userPassword,secretAgentID 5 by dn.exact="cn=limited,dc=example,dc=com" none 6 by * break
Alternately, perhaps you want to make line 1 an affirmative list. In that case, just add #5 as #7.5, ignoring #4-6.