I want to run the ACLs on my OpenLDAP server with the same philosophy as
anything else that requires access control: That which is not expressly
permitted is expressly denied.
I seem to be having some problems achieving this goal however. It seems
like some of my problems is with regard to attributes and entries that
the server itself provides.
If I have the following DNs in my database:
# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Exmaple
dc: example
# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
# Contacts, People, example.com
dn: ou=Contacts,ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
ou: People
# foobar, People, example.com
dn: uid=foo,ou=People,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: kerberosSecurityObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uid: foobar
sn: Bar
cn: Foo Bar
krbName: foobar
uidNumber: 9998
gidNumber: 9998
homeDirectory: null
userPassword:: xxxxxxxx
title: President
# barfoo, People, example.com
dn: uid=barfoo,ou=People,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: Bar Foo
uid: barfoo
uidNumber: 9999
gidNumber: 9999
homeDirectory: null
userPassword:: xxxxx
title: Network Administrator
sn: Foo
# Contacts, foobar, People, example.com
dn: ou=Contacts,uid=foobar,ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
# Contacts, barfoo, People, example.com
dn: ou=Contacts,uid=barfoo,ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
ou: People
# Dave Jones, Contacts, foobar, People, example.com
dn: cn=Dave Jones,ou=Contacts,uid=foobar,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Dave Jones
sn: Jones
o: Acme Widgets
mail: dave@example.com
# Dave Smith, Contacts, barfoo, People, example.com
dn: cn=Dave Smith,ou=Contacts,uid=barfoo,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Dave Smith
sn: Smith
mail: smith@exmaple.com
o: Acme Widgets
# Brad Sharps, Contacts, People, example.com
dn: cn=Brad Sharps,ou=Contacts,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Brad Sharps
givenName: Brad
sn: Sharpe
o: Acme Widgets
So I have come up with the following (suboptimal) ACL:
# Access to the Root DSE (what is this, pointers to an explanation much
# welcome)
access to dn=""
by * read
# for authentication and users to change their passwords
access to dn=".*,dc=example,dc=com" attr=userPassword
by dn="cn=Manager,dc=example,dc=com" write
by self write
by * auth
# Global contact list writable by "contacts administrator" but readable by
# any authenticated user
access to dn="ou=Contacts,ou=People,dc=examaple,dc=com"
by dn="uid=barfoo,ou=People,dc=example,dc=com" write
by dn="uid=[^,]*,ou=People,dc=example,dc=com" read
# Users can read and write their personal contacts
access to dn="ou=Contacts,uid=([^,]*),ou=People,dc=example,dc=com"
by dn="uid=$1,ou=People,dc=example,dc=com" write
# everything else is denied
access to *
by * none
But this ACL causes several problems. One of which is that GQ does not
seem to like it so much. I don't see full schemas or details about
attributes (i.e. for userPassword, the pulldown selector for password
"type")
My goal with this ACL is that users authenticated in ou=People,...
should be able to view global contacts (ou=Contacts,ou=People,...) and
view and edit their personal contacts
(ou=Contacts,uid=[^,]*,ou=People,...) but not read or write anything
else in the directory.
What details am I missing"?
b.