[Date Prev][Date Next] [Chronological] [Thread] [Top]

Groups, Nesting and Access

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Groups, Nesting and Access
From: Brendan Kearney <bpk678@gmail.com>
Date: Thu, 27 Jun 2013 20:06:11 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:date:content-type:x-mailer:mime-version :content-transfer-encoding; bh=/H7MQX1SY1i26sLQBV2yjP9ioQehuuGppFiOHG1GACE=; b=Psk5ch7D3l65NShCdiZ6KQbuicfp6Ja5qpyboyil093JbwDuYSfBLKiQuyJQWSDopL UA+rkDStpADVZBUz17vBRCi7Y8hqSDHFRGiPGNWWLoVYR6446JZQFh3lz6DNKd3WihON 5vB9jU6RGAtJeAHdM590rkfEb5nlZRQ8GPfyAMu1jqaADbstCtYGz1z5qDnrdakIr/30 VAfajFOUr4WTxTPE3mTl+iDYgj51bUE3kFdyqJ9Q+mN9q58k5LUgsyHUOl8WbBJg4J0O 6eXl7iE/srBa35eRIo8mX+qgKBtTzf6eT/KcDcvDdPNJ+nalrDImepsC7xlIYhCoN1Yw rMAg==

list members,

i am looking to have a group "LDAP Engineers" and "LDAP Admins"
configured, with the engineers group a member of the admin group.   i
have a feeling ACLs will need to be adjusted for this.

the engineer role will have full read/write access to cn=config.  the
access granted to cn=config should not include access to the DIT by
default.  the membership in the admin group should be used to grant this
access.  think more than one database, and not every engineer will be an
admin for every database.  essentially, engineers can modify base level
configs in slapd, add/load schemas, add/load modules, create new
databases, add/modify/delete ACLs, etc.  these will be the ldap gurus.

the admin roll will have full read/write access to the database the
dc=bpk2,dc=com tree is in, only.  essentially, admins can
add/modify/delete the objects in the DIT.  these will be the ldap
support staff.  because the engineers can be members of this group, they
will inherit the access to the DIT.

acls will need to be constructed for this separation of duty.  the
default access granted to the root id by the below might need to be
modified or additions made to the ACL list:

olcAccess: {0}to *  by dn.base="gidNumber=0
+uidNumber=0,cn=peercred,cn=external,cn=auth" manage  by * none

since this applies to the base, the engineer role should get this
access, too.  does the above ACL grant access to more than just the
cn=config?  how can the engineer role be limited to only the cn=config,
and not the database(s) that would have DITs in them?

the database for the DIT, where dc=bpk2,dc=com resides has the below
ACLs.  what ACLs are needed to give the admin role full read/write
access to the database only?  i would imagine those ACLs need to be
above the ones listed, so that the admins can modify the same settings
the users are allowed to modify.

olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth
by * none
olcAccess: {1}to attrs=loginShell by self write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to dn.subtree="dc=bpk2,dc=com" by
dn="cn=adm-srv,dc=bpk2,dc=com" write by dn="cn=kdc-srv,dc=bpk2,dc=com"
read by * none

also,  i have read that users should not be able to modify their own uid
and gid attributes.  how does one construct ACLs that grant users the
ability to modify specific attributes, but not others?  what are the
attributes that users should not be able to modify?  i would think those
are fewer in total #s than the ones that the users should be able to
modify.  with that theory, how is an ACL constructed so that all
attributes, except for those few, can be modified by the user?  is there
some "negated" logic that can be used in ACLs?  i have read the "man
slapd.access" page, and ACLs are still a bit of voodoo for me.  i have
to get more comfortable with them, but would like some pointers to get
me going.

thanks in advance,

brendan

Prev by Date: IDs, RootDN and replication
Next by Date: Types of Groups, Structural objects and Inheritance
Index(es):
- Chronological
- Thread