Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
The following would be in the database that uses the suffix for dc=example,dc=com
Passwords for auth only, only admin can change passwords:
access to attrs=userPassword by dn.base="cn=Manager,dc=example,dc=com" write by anonymous auth by * none
Attributes needed by email delivery software only visible to the entry itself:
access to attrs=mailMessageStore,homeDirectory,uidNumber,gidNumber by dn.base="cn=Manager,dc=example,dc=com" write by self read by * none
Publicly available attributes defined explicitly:
access to attrs=mail,jpegPhoto by dn.base="cn=Manager,dc=example,dc=com" write by * read
Nothing else can be seen by anyone except the admin:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
In this scenario, cn is used to identify entries when searching but as you see, that attribute is forbidden to anonymous. Is that a problem or is it OK to allow query against cn while still disallowing cn in the results?
I guess I'd also add this within this database's context, but I have to do it above the other rules I just listed?
access to dn.base="cn=Manager,dc=example,dc=com" by peername.ip=127.0.0.1 auth by peername.ip=192.168.0.0%255.255.255.0 auth by * none
Any tips much appreciated.
Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani oribani@gmail.com:
Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work. [...]
Any tips much appreciated.
man slapd.acess(5) and http://www.openldap.org/faq/data/cache/189.html
-Dieter
On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani oribani@gmail.com:
Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the documentation. Can you please be more specific as to what part of my suggestion is wrong-headed or will not work?
Or can someone else give it a try?
Am Tue, 15 Jan 2013 09:43:02 -0800 schrieb Ori Bani oribani@gmail.com:
On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani oribani@gmail.com:
Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the documentation. Can you please be more specific as to what part of my suggestion is wrong-headed or will not work?
Or can someone else give it a try?
The most important sentence is: Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.
According to your rule set checking will stop at the first rule, that is " access to * by * none".
In order to check your rule sets run slapd in debugging mode -d acl.
-Dieter
On Tue, Jan 15, 2013 at 11:52 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 15 Jan 2013 09:43:02 -0800 schrieb Ori Bani oribani@gmail.com:
On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani oribani@gmail.com:
Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the documentation. Can you please be more specific as to what part of my suggestion is wrong-headed or will not work?
Or can someone else give it a try?
The most important sentence is: Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.
According to your rule set checking will stop at the first rule, that is " access to * by * none".
That rule being a global rule, my understanding is that it gets appended to rules that are specified for any one database. This is redundant because any defined rules automatically have "access to * by * none" appended to them.
However, the reason I propose it is to ensure that any other access to the LDAP server is denied in case some other database mistakenly doesn't have rules, etc. -- just a secure fallback, a very common way to approach publicly accessible systems as I'm sure you know.
Does that clarify that part of my original inquiry?
Am Tue, 15 Jan 2013 12:49:15 -0800 schrieb Ori Bani oribani@gmail.com:
On Tue, Jan 15, 2013 at 11:52 AM, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 15 Jan 2013 09:43:02 -0800 schrieb Ori Bani oribani@gmail.com:
On Mon, Jan 14, 2013 at 10:28 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 14 Jan 2013 21:11:26 -0800 schrieb Ori Bani oribani@gmail.com:
Hello,
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the documentation. Can you please be more specific as to what part of my suggestion is wrong-headed or will not work?
Or can someone else give it a try?
The most important sentence is: Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.
According to your rule set checking will stop at the first rule, that is " access to * by * none".
That rule being a global rule, my understanding is that it gets appended to rules that are specified for any one database. This is redundant because any defined rules automatically have "access to * by
- none" appended to them.
However, the reason I propose it is to ensure that any other access to the LDAP server is denied in case some other database mistakenly doesn't have rules, etc. -- just a secure fallback, a very common way to approach publicly accessible systems as I'm sure you know.
Does that clarify that part of my original inquiry?
Just test it, as i mentionend,run slapd in debugging mode with acl parsing, or test with slapacl(8).
-Dieter
I think I understand that default access for everything that does not have any access rule is to allow read permission to everyone. All other entries (that have some form of access rules) will have a default of "access to * by * none" applied. I'd like instead to have all defaults be no access.
I have a directory that will be used for internal email processes and also have a certain amount of public/anonymous access (but only to chosen attributes). Due to the public/anonymous component, I'd like to have default access rules be as restrictive as possible.
Does it make sense to (do people commonly) set a global access of "access to * by * none" and then open access up for individual databases as desired?
I'm thinking a global rule:
access to * by dn.base="cn=Manager,dc=example,dc=com" write by * none
Then each database will have to explicitly open access only as much as needed.
No, that is not the way ACL's work.
The rules I suggested were a result of reading through all the documentation. Can you please be more specific as to what part of my suggestion is wrong-headed or will not work?
Or can someone else give it a try?
The most important sentence is: Access control checking stops at the first match of the <what> and <who> clause, unless otherwise dictated by the <control> clause.
According to your rule set checking will stop at the first rule, that is " access to * by * none".
That rule being a global rule, my understanding is that it gets appended to rules that are specified for any one database. This is redundant because any defined rules automatically have "access to * by
- none" appended to them.
However, the reason I propose it is to ensure that any other access to the LDAP server is denied in case some other database mistakenly doesn't have rules, etc. -- just a secure fallback, a very common way to approach publicly accessible systems as I'm sure you know.
Does that clarify that part of my original inquiry?
Just test it, as i mentionend,run slapd in debugging mode with acl parsing, or test with slapacl(8).
With due respect, if upon testing it does not work, my question still remains - how can I make the default/global access rule to deny access to everything for everyone?
I was also wondering if the rest of my rules made sense or not (see first post in thread).
openldap-technical@openldap.org
-
Dieter Klünter -
Ori Bani