Andreas Rudat writes:
I'm trying to understand these acl's:
{0} to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=foo,dc=bar" write <--admin can read/write by anonymous auth <--anonyomous can auth by self write <--- object owner can read/write by * none <--all other users denied
{1}to dn.base="" by * read <-- all can read the root dc=foo, dc=bar {2}to * by dn="cn=admin,dc=studsemi,dc=intern" write <-- by * read
so with acl 0: users and admin can read/write passwords, all others can do nothing with that
Yup. At our site we don't make userPassword readable or searchable by anyone except the rootdn. I.e. we use '=w' instead of 'write'. Or '=wx' just in case there are some slapd featues that can use it for auth.
acl 1: ALL can read the root dc=foo,dc=bar
No, all can read entry "". Unless you mistyped dn.base="dc=foo,dc=bar". DN "" is not part of any database. It refers to the root DSE, a read-only entry describing the server. If you have a database with suffix "", the ACL also affects add/delete of entries below that (the pseudo-attribute "children") and non-baseobject searches from DN "".
acl 2: all other attributes can be read by all others and only admin can also modify all other attributes?
so if that is correct, then I think acl 1 isnt needed?
Probably. Its effect here is to prevent ACL 2 for DN "", i.e. it prevents admin write access for that DN, which makes no difference except in a database with suffix "".