On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote:
> Based on the the ACL's I posted from my configuration, what else can you
> recommend to include, tweak or modify?
As both Michael and Dieter have said, this is very dependent on your
site's requirements and policy. You need to work out what those are.
If you can answer these questions, we might be able to help you some more:
1) Should an anonymous user be able to get any data at all?
(Ignore the root entry: we are talking about the subtree
under dc=domain,dc=com here)
2) What classes of user should have access to the data?
Examples might be:
LDAP administrator
Web applications
Desktop addressbook users
Webmail users
Directory synchronisation processes
3) For each of the above, what data (entries and attributes)
do they need?
4) How will the users authenticate to the LDAP service?
i.e. Will the user DNs and passwords be configured into
the applications, or is the human user expected to supply
a username and password each time?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------