Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: eDir disabling ldap public read rights completely

2 views
Skip to first unread message

a...@novell.com

unread,
Feb 22, 2010, 4:59:31 AM2/22/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That is how you would need to do it. Is it wise? Depends.... I've heard
wisdom defined as knowledge coupled with experience, so have you tested
this to get some experience?

Will eDirectory work? Yes. Will everything depending on eDirectory work?
Depends on how well they are written and how they are implemented. If
something needs [Public] currently to do what it needs to and you change
that you may break your environment (for about one second until you put
the rights back). Novell has customers who do much more than this in
their goal of securing the tree completely. In my own tree I also revoke
rights for [Public] to do just about anything.

Good luck.

On 02/22/2010 02:06 AM, AndreasBucher wrote:
>
> Hi there,
>
> i got the following Problem.
>
> I want to disable the public ldap rights from the anonymous account.
>
> I tried with a Proxy User in a specific context, but he was still able
> to read the normal public Attributes like (CN, uid, and the OU
> Structure).
>
> What i think about is just remove the public Trustee from the root. Is
> this wise?
>
> Thanks for your help.
> Kind Regards
> Andreas Bucher
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLglVzAAoJEF+XTK08PnB5aW8QAJ9hwcU95Xo4Qy98XRPjh9Ef
Lail8n3bkZ6gXX6wTeXcUK4k3LGbYYfKOzb1rb0sNUBL9iAzRZe/el1au8c3AIZT
zW+bVTDrd4FiJXD2AYBE6DTvOelWNuXsM0tlAIcphu8oNgoL/gw6RpydROWRRGCz
Zzu39KVV6kqwkFl9/6TG+fg9GZ2e0oIubrCPx8u86ARTgwOTBgOxa/GgdKjcEjjQ
1B82cURkjOuNfJhpsZfeLejvoiER3sqDo76O5f/ptyVLVO+VYUxQdvwoR0hHl4wa
ST03T27PSFCUABeZy8yYYs7t8c+htWIDcrAWqIwgYVYmpyVyWeULf5pCfvHXmaAE
2bcd7GAVbqcff75R5xvY37p4KZx6veM5O5fLLvk+GO5pz0M2v5lfIBvBkTmw2wAC
NjduNcYUce0mH3aO/Bt8AHiLLKSNA6xyyGml7kR8O9bQx1uPZfGVWKSo2DX9xt51
3WGFiJ0j36pyhZaC/6uY7NO+8gaaHqXJqU/Hl47xmVTt/AFLCJs4pAHUsSapO37Q
YjjV0PxNdUXFHOoZSqLUpunIU7f1RVjPWl+U99UWvA+t+nl2/LYNYQF2Oqj6tUcA
GGwxYUHu29kR8jnqWVhojchlkIKu5blcVP1BKdgq4U15cYElSii6zFjmvdxfsBXS
cYBI6NwDWAku7f1JE1MC
=BBBG
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Feb 22, 2010, 5:00:03 AM2/22/10
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Also, this is not an NMAS issue. Please use the eDirectory forums in the
future for eDirectory questions.

Good luck.

iQIcBAEBAgAGBQJLglWTAAoJEF+XTK08PnB5QIYP/ipjmIcBJ0M14lZpcAEVV2tj
A60K4t6pcjdVXRPMNswVLrMXkHU2/F8GtWTC8QY376KBQgBW4HxqPwVi/1uNOXou
b7VLiYURweXkXtNst6zQKQaCMnXA1Rj1llwmIqrQw/9uWHGfOfdCC6BU5ZpY+lZu
Qcpe4iuAd7z6evAR/I+f2bbNiB7VuaIaVMAci6o2926T26tugiigKoJcm4dhsbwV
Sz1yy+VybF3/t5xpFs9lRdkjjZZ/GTpg2W5wzJ4UzoC2jwBMwzINP4Xfxdy52OFd
82KhTRlXmz9xLBFIJ8bIFYr56Uc+zeKkKpkiMnzGXxxb9enKJHVTNpkGk9vQ/VI7
iKM7H5pUUsjmPCjvB98Q4PjRU85L33wmzFAWBPf0MxaI3nAqaCJ3hcVcXVGRWbwY
smWiGVhOL6OQxnOG7yp5w6C+g9BwmKwY5dOl8TgcO8S1AQ4w4+nGOXr6gPtkEapX
5f+m3AzvmjB0uwqE33QVikh8N5EhSsSbF6EiJAAC7ia6f88alQZ/e0cmVmx0fD8C
V8Wq2cyaOylwh2GbZ8Nhp7bCThVKy+6aPuA2ppuZ8kCr7CRTtiunvoERVqdnCeMG
8YtnPZnBO8pCRdpaV4FrqI2TlCEGQewiGfxCSYBb8q4z8FXRoGz27KuzFywwJ5kw
VOWJrKhM1IJs3/XTeO0j
=qtK1
-----END PGP SIGNATURE-----

David Gersic

unread,
Feb 22, 2010, 1:44:04 PM2/22/10
to
On Mon, 22 Feb 2010 09:06:04 +0000, AndreasBucher wrote:

> What i think about is just remove the public Trustee from the root. Is
> this wise?

You can do that, yes. It shouldn't hurt anything. Test it in your
environment first.

Then you'll want to look at the schema attributes flagged as "Public
Read" by default. And the schema Default ACL Template for User objects
may need looking at as well.


--
---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com

Please post questions in the newsgroups. No support provided via email.

0 new messages