[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap ACL's (first timer)

--On Tuesday, October 06, 2009 4:34 PM +1100 Craig T <sysadmin@shakenbake.net> wrote:

Hi Openldap Experts,

I'm designing a fairly simple openldap setup for our Melbourne office,
but it's my first LDAP site, so I'm kinda guessing....

LdapServer1: Centos 5.3x64 with db-4.7.25 and openldap-2.4.16 and the
clients are Linux Centos 5.2. I've already got everything working with
the basic acl setup of 'access to * by * read', the challenge now is how
to best secure the LDAP environment with the right acls?

Upgrade to OpenLDAP 2.4.19 (latest stable).

Scenario 1)
We'd like to restrict members to only be able to logon at certain
machines. The concept I'm missing is, how does the LDAP protocol link the
user authenticated to a hostname (machine user is sitting at)?

For example, user "cn=craig,ou=users,dc=example,dc=com" would like to log
onto pc "craigpc.example.com ip:".
From my study the following acls may work?

access to dn.base="cn=craig,ou=users,dc=example,dc=com" attrs=userPassword
    by peername.regex=IP:192\.168\.0\.100 & self read
    by * none

Check out the nss-ldapd stuff in <src>/contrib/

Scenario 2)
How to setup groups (or "sets" I believe they are called) in a way where
user "Craig" can be added to the "sysadmin" group and in turn get full
access to all our servers.

# sysadmin, groups, teratext.saic.com.au
dn: cn=sysadmin,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: teratext
member: cn=cht,ou=users,dc=example,dc=com
member: cn=ajg,ou=users,dc=example,dc=com

access to dn.subtree="ou=servers,dc=example,dc=com"

I'd suggest re-reading the slapd.access(5) man page. Particularly the access to ... by group.dn=... Sets are very expensive, and groups are naturally supported.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration