[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access rights in ldap-tree

On Mon, 29 Mar 2004, Piotr Wadas wrote:

> Hello,
> We are at the decide stage of choosing solution for ldap implementation.
> OpenLDAP looks good for us, however there's one issue I'd like to be
> sure of, before taking final decision.
> How do I, or whether can I, put some access controls (rules) to ldap
> into ldap itself? It doesn't matter for me whether ldap server, which
> provide access right will be the same to which access rights apply, or
> different one (other instance). The purpose of keeping ldap rights
> in LDAP is as follows: we are going to create some web admin interface
> (being strict in php, doesn't matter) which should be able to e.g. add
> users to ldap. However this users added by some-kind hiperadmin should
> be able to "administrate" (write to) some ldap subtrees assigned to them.
> LDAP access right can be set in slapd.conf, however main target is to
> avoid editing of any system config file (and probably service restart).
> My investigations resulted with some clues regarding to SASL and
> regexp-based access controls. So it looks like I can set up
> access right like
>         "by (dn=some_regexp_match_dn) accesslevel"
> so if user belongs e.g. to his-domain-admins subtree he can edit
> his-domain-users and his-domain-settings (his-domain-aliases,
> his-domain-dnsentries).
> Question is do I understand this SASL-issues properly? Anyway
> in this way I cannot explicitly set in LDAP type of access level
> for this users. I'd like to add some users with its permissions into
> ldap tree and mantain access rights via ldap-client (no matter web or
> gq-like). Another point with method mentioned above is, that when
> adding new domain I still have to add such access control into slapd.conf
> file, which is not wanted.

If you use well thought out regex-based ACLs, I don't think you will need 
to restart the LDAP servers often. For example, I use some ACLs like this 
in the global section of the slap.conf:

# Allow users in the domain to add entries to the "global address book":
access to dn="^(.*,)?ou=Contacts,(dc=.+,?)+$$"
        by dn="uid=.*,ou=People,$2" write
	by group="cn=Domain Controllers,ou=Group,$2" write
        by * read

The only rules I haven't been able to implement flexibly have been rules 
allowing write access from the replicadn. So, I have my own questions:
-should the replicadn not by default have write access throughout?
-how aobut a keyword for the replicadn (ie like 'by self write' have 'by 
replicadn write' or similar)
-how about a keyword for the directorys suffix/basedn