Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani oribani@gmail.com:
Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work. [...]
Any tips much appreciated.
man slapd.acess(5) and http://www.openldap.org/faq/data/cache/189.html
-Dieter