[Date Prev][Date Next] [Chronological] [Thread] [Top]

help with ACL

To: openldap-technical@openldap.org
Subject: help with ACL
From: Alberto Aldrigo <alberto.aldrigo@h-farm.com>
Date: Fri, 23 Dec 2016 11:16:22 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=h-farm.com; s=google; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=AWNbUP6NJ0AlJdfJkGNplELbVUIYmkPN59xkr5Oh/WQ=; b=m+l6xvqK4VgIYM12D6CJU+qh0cbcYbSMR05aAG6Sh4rkLkry78QsDa+0QruRqdxKXQ 8eZxBFtgQSj8GRrKrSySjU+UHTqh4WLeBrfVppdYSDgDyyA4lYYiICYzjw+zLgt8qQbj DJCmF6gc/5TIktsuYEK/jIAHGTCi0SUhCm4I0=
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1

Hi everyone!

For compatibility reasons I had to change the way I store my user's password in LDAP from SSHA to plaintext and now I want to try to restrict the access to some attributes while I find a better solution.
My ldap tree is something like this:

dc=domain,dc=com
    cn=freeradius
    cn=diradmin
    cn=readonly
    cn=user1
    o=company1
        cn=admins_company1 (member: uid=user1 and uid=user6)
        ou=users
            uid=user1
            uid=user2
        ou=groups
            cn=company1_group1
            cn=company1_group2
    o=company2
        cn=admins_company2
        ou=users
            uid=user3
            uid=user4
        ou=groups
            cn=company2_group1
            cn=company2_group2
    o=company3
        cn=admins_company3
        ou=users
            uid=user5
            uid=user6
        ou=groups
            cn=company2_group1
            cn=company2_group2

    o=user1subtree
        ou=users
            uid=user15
            uid=user62
        ou=groups
            cn=group1
            cn=group2

HERE THE PERMISSION I WANT TO GRANT

all the users can modify their own attributes
user cn=freeradius is used by freeradius to auth the users on the 802.11x wi-fi. It should read all the tree including the userPassword attribute
user cn=diradmin is the rootdn
cn=readonly can read the whole tree but not the userPassword attribute
cn=user1 can read the whole directory (not the userPassword attribute) and write in his own subtree (o=user1subtree)
uid=user1 and uid=user6 are company1's administrators, so they can write in whole o=company1 subtree

the number of companies changes often and so I can't statically define an ACL for accessing a subtree

I wrote the following ACL (but is the first time) are them correct or I'm missing something?
The regex is expensive (any search in the tree takes a lot of time) but works, how can I optimize it?

{0}to attrs=userPassword by self =xw by dn="cn=freeradius,dc=domain,dc=com" read by anonymous auth by * none
{1}to attrs=shadowLastChange by self write by * read
{2}to dn.subtree="o=user1subtree,dc=domain,dc=com" by dn="cn=user1,dc=domain,dc=com" write
{3}to dn.regex="o=(.+),dc=domain,dc=com$" by group.expand="cn=admins_$1,o=$1,dc=domain,dc=com" write by dn="cn=user1,dc=domain,dc=com" read by dn="cn=freeradius,dc=domain,dc=com" read by self write
{4}to * by dn="cn=user1,dc=domain,dc=com" read by dn="cn=freeradius,dc=domain,dc=com" read by * read by self write by anonymous auth

Thanks!
--

Alberto Aldrigo

Prev by Date: Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
Next by Date: Bulk change user's attribute
Index(es):
- Chronological
- Thread