[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Mon, 16 Oct 2017 16:55:43 +0200
Cc: Clément OUDOT <clement.oudot@savoirfairelinux.com>, openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=Gy8g9YvjdoEaTv/xy+WYWTbA19D9Rw4kBIWATzZe6qo=; b=bkCUkzjZ/N2dE+08z8NZAqDHUEU4J2kNz1RMOO0SketYG834xkPlMjGEjunueNfwXB mF4U7y378F+TPLRSypSFjpxmGgEDNP705BQobsRV702hwTRwrBCp0KLeG7xinCjlHtHP 2PGNdQpYYtQFMpHKROBel6olXgNPgFw/Az4YG9a5TT/PlRtBpPtjN4xa2vWuqoWm3pkW V6eTiAf8zN0DGpjUejw27t+YdIFIY54YmaHqSOpfR8BmjbglsLqBnsiTRYKThNbr0P0d j3jQgOYmPAKuw3yoAnEm52yp+vPpHI1x5dlZ1TxFm+DBDk1EPQXaDn/cwEtKcFfSsb8z /n3A==
In-reply-to: <583A73A35E7B9CE7720F7A3E@[192.168.1.30]>
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com> <20171012143945.GA24897@arxnet.hu> <1e3053aa-10c0-2e89-4ecf-78b196480abb@savoirfairelinux.com> <20171012153230.GA26702@arxnet.hu> <WM!3ea8ec7098d14925dc39d957afaad62f207f43d00b4c648f2f5d4f5322d8acfa9261435931a6075dbeba167726dc6c91!@mailstronghold-3.zmailcloud.com> <755C73DF70A5217978F6B6A1@[192.168.1.30]> <20171016084524.GA877@arxnet.hu> <WM!43703ab56969c2acf0985d6545b4c4a3f566ea9735fb004c659aeac0800d62dba608b595cdc34bd0efd7fc93a125415f!@mailstronghold-1.zmailcloud.com> <583A73A35E7B9CE7720F7A3E@[192.168.1.30]>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi Quanah,

On Mon, Oct 16, 2017 at 07:42:39AM -0700, Quanah Gibson-Mount wrote:
> --On Monday, October 16, 2017 11:45 AM +0200 Ervin Hegedüs
> >and a member of cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu
> >can modify any attributes at any users under the ou=ABC Customer,
> >EXCEPT the userPassword - when I want to modify that, I get
> >permission error:
> 
> That would be expected, given your ACLs.

right,

> >How can I combine the attrs and group permissions? Should I list
> >all attributes in rule?
> 
> You need to add a rule in the userPassword ACL to allow the group to write
> to the attribute.  ACLs are processed in the order they are listed, and STOP
> at the first match.  This is clearly documented in the slapd.access(5) man
> page.
> 
> I.e., you would need:
> 
> dn: olcDatabase={1}mdb,cn=config
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write
> olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
> olcAccess: {2}to * by * read

without any real testing, I'm afraid that the rule{0} gives the
write access to cn=groupabcadmin to _all_ db, not just the ou=ABC Cumstomer
subtree.

Em I right?

There will be several OU's, and all OU will have an admin group.
All member of _that_ group under the own OU will have write
permission.

Note, that the users will _not_ allow the LDAP directly, they
will be use a webapp. So, if this idea is too complax and/or too
dangerous, then there will be only one dedicated user (for
webapp), who will have the admin rights. But the users will
authenticated themselves from LDAP, and the group membership will
choose, which methods allowed on which subtree.

I think that the LDAP auth and group membership checking is
more clean solution - but it needs a good and stable access
hierarcy.

What do you think about it?

> I would note again that "by * none" is implicit on any ACL, there's no need
> to specifically list it.

right, that's clear.

Thanks,

a.

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: Re: Admin roles by group membership per OU
Index(es):
- Chronological
- Thread