[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL on create questions

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: ACL on create questions
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 2 May 2013 12:43:41 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20130502072125.GE25622@homeworld.netbsd.org>
References: <20130502072125.GE25622@homeworld.netbsd.org>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, May 02, 2013 at 07:21:25AM +0000, Emmanuel Dreyfus wrote:

> 1) Is it possible to allow entry creation on a branch while preventing
> renaming?  I understand I need to give write access to
> - attrs=chidren on parent
> - attrs=entry on created entry
> - attrs=<the mandatory attributes for object>

You could do this by preventing deletion of the entries.
This could be done at sevaral levels:

	1) Block deletion of children at the parent entry

	2) Block deletion of the entry itself

	3) Block deletion of attribute values used in the RDN

You will need to use the 'privilege' permission model rather than the
'level' model. See 'THE <ACCESS> FIELD' and 'OPERATION REQUIREMENTS' in
the slapd.access manpage.

If you want to allow people to delete entries as well as add them, then
you cannot prevent renaming...

> 2) Is it possible to make some entry values mandatory for an entry creation?
> e.g.: I want to enforce specific values of objectClass

You could put a filter on the ACL entry that grants create permission so
that it only triggers where the proposed entry has the right object
class:

# We only want inetOrgPerson objects here
access to dn.onelevel="dc=people,dc=example,dc=org" filter="(objectClass=inetOrgPerson)"
        by dn.exact="uid=admin,dc=people,dc=example,dc=org" write
        by * break

You will probably want to enable add_content_acl for the database.

Further control can be exercised with DIT content rules. For example,
this would prevent auxiliary classes being added to inetOrgPerson
entries:

ditcontentrule ( 2.16.840.1.113730.3.2.2
        NAME 'dcrPerson'
        DESC 'Limit aux classes allowed on inetOrgPerson entries'
        )

This would permit a locally-defined aux class and also require the mail
attribute:

ditcontentrule ( 2.16.840.1.113730.3.2.2
        NAME 'dcrPerson'
        DESC 'Control inetOrgPerson entries'
	AUX examplePerson
	MUST mail
        )

Note that ditcontentrule is part of schema rather than access control, so
even the rootDN cannot normally bypass it.

More examples here:

	http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- ACL on create questions
  - From: Emmanuel Dreyfus <manu@netbsd.org>

Prev by Date: Re: How to configure ubuntu server with LDAP group based authentication
Next by Date: Use LDAP netgroup to control NFS exports?
Index(es):
- Chronological
- Thread