[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL sanity check
Am Sonntag, 17. Mai 2015 17:25 CEST, Dieter Klünter <dieter@dkluenter.de> schrieb:
> Am Sat, 16 May 2015 16:39:47 -0400
> schrieb Brendan Kearney <bpk678@gmail.com>:
>
> > i am looking to improve my access controls, and wanted to make sure
> > the below passes muster and sanely implements what i am looking for.
> >
> > 0 - ldap admins get access to the entire directory
> > {0}to dn.subtree="dc=bpk2,dc=com"
> > by
> > group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> > manage by anonymous auth
> > by * none
> >
> > 1 - kerberos id get only the access they need
> > {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
> > by dn="cn=kadmin,dc=bpk2,dc=com" write
> > by dn="cn=kdc,dc=bpk2,dc=com" read
> > by * none
> >
?
>
> you should test your acl's with slapacl(8)
Tests will never be a substitute for a good reasoning about code. To write/perform good
test one needs to understand the code ....
The OPs "example" is way to big way too big for a ML-question. Such auditing really
is (paid) work. But just as a remark (and starting point for the OP):
> > 0 - ldap admins get access to the entire directory
> > {0}to dn.subtree="dc=bpk2,dc=com"
> > by
> > group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> > manage by anonymous auth
> > by * none
> >
> > 1 - kerberos id get only the access they need
> > {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
> > by dn="cn=kadmin,dc=bpk2,dc=com" write
> > by dn="cn=kdc,dc=bpk2,dc=com" read
> > by * none
Question 1: what entry will _not_ match the first rule?
Answer: no entry (because of the "by *").
Question 2: What entries will hit rule 2
Answer: no entry. Since anything matching 'to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"'
will also match 'to dn.subtree="dc=bpk2,dc=com" and will be handled in that rule.
You really need to get the order of your rules right (and make use of "pass" ...)
HTH Ralf Mattes