[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems configure access-lists


I'm running OpenLDAP 2.3.19.

Our LDAP-structure is as below;

  cn=admlocal (objectclass=person)
  cn=admmaster (objectclass=simpleSecurityObject, organizationalRole)
  dep=dep1 (objectclass=locDep)
    cn=admin (objectclass=locAdmin)
    locId=ID11 (objectclass=locData)
    locId=ID12 (objectclass=locData)
    locUsr=USR11 (objectclass=locUser)
  dep=dep2 (objectclass=locDep)
    cn=admuser (objectclass=locAdmin)
    locId=ID21 (objectclass=locData)
    locId=ID22 (objectclass=locData)
    locUsr=USR21 (objectclass=locUser)

Objectclasses locDep, locAdmin, locData and locUser are locally defined classes.

Everything works fine right now, but when I looked in sklapd.conf I saw a major configuration error;
The access-lists states;

access to attrs=userPassword
        by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admlocal,ou=admin,dc=example,dc=com" write
        by dn="cn=admmaster,ou=admin,dc=example,dc=com" write
        by * write

I wants to tighthen this security but I can't figure out how I should configure my access-lists.

* cn=admmaster,ou=admin,dc=example.dc=com
Should have full access to everything

* cn=admlocal,ou=admin,dc=example.dc=com
Should have full access to everything, except userPassword

* cn=<username>,dep=<dep>,ou=deps,dc=example.dc=com
Should have full access to everything below its dep, i.e.
- cn=admin,dep=dep1,ou=deps,dc=example.dc=com should have full access to everything below dep=deop1,ou=deps,dc=example.dc=com and read on dep=deop1,ou=deps,dc=example.dc=com.
- cn=admuser,dep=dep2,ou=deps,dc=example.dc=com should have full access to everything below dep=dep2,ou=deps,dc=example.dc=com and read on dep=dep2,ou=deps,dc=example.dc=com.

The name of (class) locAdmin can be different in different deps.

I hope that I've managed to describe what I wants to achive.


---------------------------------------------------------------- This message was sent using IMP (http://www.horde.org). Running on PHP 5.1.2, Apache 2.0.55, Ubuntu Dapper.