Highlighted
Anonymous_User Absent Member.
Absent Member.
169 views

public user default rights


Can someone post the default rights, if any, that the [Pulbic] object should have to the top of a tree? In the past we used the [Public] object for LDAP Contextless logins but have recently changed to using a dedicated read-only ldap user account. I just want to make sure [Public] has the least rights it needs to the tree. Thanks, Chris.
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: public user default rights

[Public] does not need rights to the tree, though other services may need
it to have rights.

With that bit of pedantry called out, the biggest change I would foresee
for your setup, assuming you configured your proxy user correctly, is NCP
clients. If your LDAP clients all have sufficient rights (when connecting
anonymously for some reason) because of your new proxy user, the only
thing that really should change are NCP clients which, by definition, do
not use LDAP. Have you tested any of those (iManager, Novell Client,
etc.) to ensure they work as expected? Many of them may use LDAP for
things like contextless login, so the Novell Client in that case may
continue working if sufficient rights exist for that type of thing. The
only way to know for sure, is to test your environment. The default ACLs
setup for [Public] are most-visible at the top of the tree, and you can
see those ACLs via iManager to then copy them over to your proxy user.
Other ACLs are granted through schema definitions on attributes, so even
though you revoke all explicit rights the [Public] will have access to
read things like Surnames, uniqueID (uid via LDAP), Object Class, and
other attributes defined with the Public Read flag.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: public user default rights


Thanks for the quick reply. I have tested our read-only proxy user on our contextless login and it is performing fine. I have completely removed [public] from the root of the tree (I was incorrectly calling it the top of the tree before, don't know why - brain f*&^ I guess). If I need [Public] at the root I can put it back in.



>>> ab<ab@no-mx.forums.microfocus.com> 6/16/2015 12:04 PM >>>



[Public] does not need rights to the tree, though other services may need
it to have rights.

With that bit of pedantry called out, the biggest change I would foresee
for your setup, assuming you configured your proxy user correctly, is NCP
clients. If your LDAP clients all have sufficient rights (when connecting
anonymously for some reason) because of your new proxy user, the only
thing that really should change are NCP clients which, by definition, do
not use LDAP. Have you tested any of those (iManager, Novell Client,
etc.) to ensure they work as expected? Many of them may use LDAP for
things like contextless login, so the Novell Client in that case may
continue working if sufficient rights exist for that type of thing. The
only way to know for sure, is to test your environment. The default ACLs
setup for [Public] are most-visible at the top of the tree, and you can
see those ACLs via iManager to then copy them over to your proxy user.
Other ACLs are granted through schema definitions on attributes, so even
though you revoke all explicit rights the [Public] will have access to
read things like Surnames, uniqueID (uid via LDAP), Object Class, and
other attributes defined with the Public Read flag.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: public user default rights

On Tue, 16 Jun 2015 16:12:15 +0000, cmosentine wrote:

> Thanks for the quick reply. I have tested our read-only proxy user on
> our contextless login and it is performing fine. I have completely
> removed [public] from the root of the tree (I was incorrectly calling it
> the top of the tree before, don't know why - brain f*&^ I guess). If I
> need [Public] at the root I can put it back in.


Note that as Aaron pointed out, this doesn't affect the default ACL
template applied to new objects (so the objects you've already created),
and doesn't affect attributes defined as 'public read' in the schema.
Changing those requires some additional work.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.microfocus.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.