[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control config



On Fri, Oct 01, 1999 at 08:42:35PM +0200, jgaleano@gva.es wrote:
> I'm trying to set up a system with a distributed user 
> management in such a way that there will be a manager 
> for each sub-organization. The manager for one 
> suborganization musn't be able to do anything but read 
> entrys below other suborgs.
> I have tried to filter the privileges giving access 
> with access control lists like the following one
> 
> access to dn=".*,ou=suborg1,o=org,c=ES"
>   by dn="cn=manager-suborg1,ou=suborg1,o=org,c=ES" write
> 
> but, to my surprise, I have experienced that with this 
> it is forbidden to create new entries for that manager 
> even under his suborganization, and to let the manager 
> add new entries I have to give him acces to anything 
> directly under the whole organization.
> Is there a way to give "add-permissions" without having 
> to give access to other suborganizations?
> 
> Any ideas would be appreciated.
> TIA.
 
It gets complicated fast :-(

I will include here two files. The first is our slapd acl file. It
implements a three level access management system. Briefly we define two
groups of people per organization. 

Admins are allowed to modify but not delete or add users. Sysops are allowed
to add, delete and modify users and admins but not other sysops. Finally
there is a global group called sysadmins that can add, delete and modify any
entry in the directory.

The second file is a small sample ldif file showing entries for a single
organization.

--------- cut here for fire.acl -------------

#
# Fireplug SLAPD Access Control
#
# Copyright (c) 1997, 1998, 1999 sl@fireplug.net
#
# We assume there are three levels of administrators, two per domain and one global:
#
#	SysAdmin - can create and modify domains and other users, SysOps and Admins 
#
#	SysOps - can create and modify Users and Admins within a single o=domain
#
#	Admins - can create and modify other users within a single o=domain
#
# User entries are stored in the hierarchy using a DN of the following format:
#
#	dn: uid=user@some.domain, ou=accounts, o=some.domain, l=server
#
# Admin group entries are stored in the hierarchy using a DN of the following format:
#
#	dn: cn=SysAdmin, l=server
#
#	dn: cn=SysOp, o=some.domain, l=server
#
#	dn: cn=Admin, o=some.domain, l=server
#
#
# Almost all access is controlled by checking if the bind DN is present in a specific
# group that has permission to do the operation for the . 
#
# The rules work by specifically allowing write access where required, restricting
# read access where required and ending up with a generic read access for anything
# else not otherwise specified.
#
# 
#
# N.B.
#
#  1. ACL matches are done by Distinguished Name (DN) of the entry being modified
#     and attribute in question.
#
#  2. Only the FIRST matching ACL for a DN/attribute is used to determine 
#     ALL RIGHTS to the specific DN/Attribute so the ACL rules should be sorted
#     from most specific to least specific.
#
#  3. Within an ACL rule, by clauses should be sorted from most powerful to 
#     least in case the bind DN qualifies for more than one.
#
#  4. Within the <attrlist> the token "entry" can be specified. It is used to
#     specify permissions to do with an entry itself. slapd references it
#     before allowing a search within an entry and before allowing an entry
#     to be deleted. An empty attrlist will match.
#
#  5. Within the <attrlist> the token "children" can be specified. It is used to
#     specify permissions to do with adding entries. slapd references it
#     before allowing an entry to be added, it will check for permission 
#     in the parent entry. An empty attrlist will match.
#
#  6. Within the <who> list the expression group=<string> matches 
#     if the expanded string is an entry of type groupOfUniqueNames
#     and the bind DN is a value within the attribute uniqueMember of
#     that entry.
#
#
# Open Questions
#
#  1. Is l=.* required everywhere?
#
#  2. Are there any any security holes because o=.* can match commas (i.e.
#     the regex is across dn ignoring different parts of the hierarchy)?
#
#  3. Could we extend the entry syntax to allow multiple sets of attr= by= by= 
#     for each access to? This would collapse several rules, presumably allowing
#     slightly faster searching as the pattern would not have to be matched
#     multiple times. For examples 1, 2 and 3 would be collapsed to a single
#     rule with three sets of attr= by= by= clauses.
#

##############
#
# entries relating to account entries, ou=accounts,o=*,l=*

#
#  1: Allow Admin, SysOp and SysAdmin to ADD children and write UID, 
#     allow all users to read entries.
#
access to dn="ou=accounts,o=(.*),l=(.*)"
    attrs=children,entry,uid
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  group="cn=Admin,o=$1,l=$2" write
    by  dn=".*" read


#
#  2: WRITE access to some attributes by Admin, SysOp and SysAdmin,
#     read access to self, NO access by everyone else
#
#     Put attributes that should not be MODIFIED by a user and should
#     be kept private here.
#
access to dn=".*,ou=accounts,o=(.*),l=(.*)"
    attrs=children,newsAdultAccess,newsNormalAccess
    by  self read
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  group="cn=Admin,o=$1,l=$2" write
    by  dn=".*" none

#
#  3: WRITE access to userPassword access by Self, Admin, SysOp and SysAdmin,
#     NO access by everyone else
#
#     Put attributes that can be MODIFIED by a user and should
#     be kept private here.
#
access to dn=".*,ou=accounts,o=(.*),l=(.*)"
    attrs=userPassword,warningAcknowleged
    by  self write
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  group="cn=Admin,o=$1,l=$2" write
    by  dn=".*" none

#
#  4: WRITE access to restricted set of attributes by Self, Admin, 
#     SysOp, and SysAdmin, READ access to everyone else
#
#     Put attributes that can be MODIFIED by a user and should NOT
#     be kept private here.
#
#
access to dn=".*,ou=accounts,o=(.*),l=(.*)"
    attrs=cn,description,homePhone,homePostalAddress,labeledURI,labeledURL,mailAutoReplyText,mailAutoReplyMode,mailAlternateAddress,mailForwardingAddress,mailDeliveryOption,mailHost,sn
    by  self write
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  group="cn=Admin,o=$1,l=$2" write
    by  dn=".*" read

##############
#
# entries relating to groups, cn=XXX,o=*,l=*

#
#  5: WRITE access to Admin group by SysOp and SysAdmin,
#     READ access to ADMIN,
#     NO access for everyone else
#
access to dn="cn=Admin,o=(.*),l=(.*)"
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  group="cn=Admin,o=$1,l=$2" read
    by  dn=".*" none

#
#  6: WRITE access to SysOp groups by SysAdmin,
#     READ access to SysOp,
#     NO access for everyone else
#
#
access to dn="cn=SysOp,o=(.*),l=(.*)"
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  dn=".*" none

#
#  7: WRITE access to SysAdmin groups by SysAdmin,
#     NO access for everyone else
#
#  Note that this is two identical rules rolled into one with
#  the two dn patterns being specified with the | regex operator.
#
access to dn="cn=SysAdmin,l=(.*)"
    by  group="cn=SysAdmin,l=$1" write
    by  dn=".*" read

#
#  8: WRITE access to organization entries password by SysAdmin and self
#     NO access for everyone else
#
#  Note that this is two identical rules rolled into one with
#  the two dn patterns being specified with the | regex operator.
#
access to dn="cn=SysAdmin,l=(.*)"
    attrs=userPassword
    by  self write
    by  group="cn=SysAdmin,l=$1" write
    by  dn=".*" none



##############
#
# entries relating to anything else not specified above

#
#  9: WRITE access to anything else below the organization level for 
#     Admins, SysOps and SysAdmins, READ access for anyone else
#
access to dn=".*,o=(.*),l=(.*)"
    attrs=entry
    by  group="cn=SysAdmin,l=$2" write
    by  group="cn=SysOp,o=$1,l=$2" write
    by  group="cn=Admin,o=$1,l=$2" write
    by  dn=".*" read

#
# 10: WRITE access for SysAdmins to add anything
#      else, READ access for all entries.
#
access to dn="l=(.*)"
    attrs=entry,children
    by  group="cn=SysAdmin,l=$1" write
    by  dn=".*" read

#
# 11: WRITE access for SysAdmins to anything left, READ access to everyone
#      else
#
access to dn="l=(.*)"
    by  group="cn=SysAdmin,l=$1" write
    by  dn=".*" read

#####

------------------ cut here for demo.ldif -----------------

dn: l=yvr
objectclass: top

dn: cn=SysAdmin,l=yvr
objectclass: top
objectclass: groupOfNames
cn: SysAdmin
description: people who can manage sysops and domains
member: cn=SysAdmin,l=yvr
member: uid=sl@citiwave.net,ou=accounts,o=citiwave.net,l=yvr

dn: o=citywave.net,l=yvr
objectclass: top
objectclass: organization
objectclass: simpleSecurityObject
objectclass: fireOrganization
objectclass: fireNewsDefaults
o: citywave.net
userpassword: {CRYPT}ZFTK//fSNuMME

dn: cn=Admin,o=citywave.net,l=yvr
objectclass: top
objectclass: groupOfNames
cn: Admin
description: description: people who can manage users for this domain
member: cn=Admin,o=citywave.net,l=yvr
member: uid=richard@citiwave.net,ou=accounts,o=citiwave.net,l=yvr

dn: cn=SysOp,o=citywave.net,l=yvr
objectclass: top
objectclass: groupOfNames
cn: SysOp
description: people who can manage admins for this domain
member: cn=SysOp,o=citywave.net,l=yvr
member: uid=ted@citiwave.net,ou=accounts,o=citiwave.net,l=yvr

dn: ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: organizationalUnit
ou: accounts
description: accounts at citywave.net

dn: uid=fred@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: fireNewsAccess
userpassword: {CRYPT}ZFTK//fSNuMME
uid: fred@citywave.net
mail: fred@citywave.net
cn: Fred Smith
sn: Fred

dn: uid=frank@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: fireNewsAccess
uid: frank@citywave.net
mail: frank@citywave.net
userpassword: {CRYPT}ZFTK//fSNuMME
cn: Frank Smith
sn: Frank

dn: uid=kenc@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: fireNewsAccess
uid: kenc@citywave.net
mail: kenc@citywave.net
mailforwardingaddress: ken@fireplug.net
userpassword: {CRYPT}ZFTK//fSNuMME
cn: Ken Cillis
sn: Cillis

dn: uid=postmaster@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: fireMailAlias
uid: postmaster@citywave.net
mail: postmaster@citywave.net

dn: uid=richard@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: fireNewsAccess
uid: richard@citywave.net
mail: richard@citywave.net
userpassword: {CRYPT}ZFTK//fSNuMME
sn: Pitt 
cn: Richard Pitt
mailforwardingaddress: richard@fireplug.net

dn: uid=rpitt@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: fireMailAlias
uid: rpitt@citywave.net
mail: rpitt@citywave.net
description: forward to Richard Pitt

dn: uid=sl@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: fireMailAlias
uid: sl@citywave.net
mail: sl@citywave.net

dn: uid=ted@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: fireNewsAccess
uid: ted@citywave.net
mail: ted@citywave.net
mailforwardingaddress: ted@psg.com
cn: Ted Powell
sn: Powell
userpassword: {CRYPT}FZT/Kf/NSMuEM

dn: uid=webmaster@citywave.net,ou=accounts,o=citywave.net,l=yvr
objectclass: top
objectclass: account
objectclass: mailRecipient
objectclass: fireMessagingUser
objectclass: fireMailAlias
uid: webmaster@citywave.net
mail: webmaster@citywave.net
mailforwardingaddress: richard@citiwave.net


-- 
Stuart Lynne <sl@fireplug.net>                __O 
<http://edge.fireplug.net>                  _-\<,_               604-461-7532
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00   (_)/ (_)   88 EC A3 EE 2D 1C 15 68