[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL sanity check

Am Sat, 16 May 2015 16:39:47 -0400
schrieb Brendan Kearney <bpk678@gmail.com>:

> i am looking to improve my access controls, and wanted to make sure
> the below passes muster and sanely implements what i am looking for.
> 
> 0 - ldap admins get access to the entire directory
> {0}to dn.subtree="dc=bpk2,dc=com"
>          by 
> group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> manage by anonymous auth
>          by * none
> 
> 1 - kerberos id get only the access they need
> {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
>          by dn="cn=kadmin,dc=bpk2,dc=com" write
>          by dn="cn=kdc,dc=bpk2,dc=com" read
>          by * none
> 
> 2 - dns engineers, admins and dns process accounts get access
> {2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com"
>          by 
> group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
> manage
>          by 
> group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> write by 
> group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
> write
>          by * none
> 
> 3 - dhcp engineers, admins and dhcp process accounts get access
> {3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com"
>          by 
> group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
> manage
>          by 
> group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> write by 
> group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
> read
>          by * none
> 
> 4 - dhcp engineers, admins and dhcp process accounts get access
> {4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com"
>          by 
> group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
> manage
>          by 
> group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> write by 
> group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
> read
>          by * none
> 
> 5 - users can read this ou
> {5}to dn.subtree="ou=Computers,dc=bpk2,dc=com"
>          by users read
>          by * none
> 
> 6 - users can read this ou
> {6}to dn.subtree="ou=Groups,dc=bpk2,dc=com"
>          by users read
>          by * none
> 
> 7 - users can read this ou
> {7}to dn.subtree="ou=Networks,dc=bpk2,dc=com"
>          by users read
>          by * none
> 
> 8 - users can read this ou
> {8}to dn.subtree="ou=Users,dc=bpk2,dc=com"
>          by users read
>          by * none
> 
> are there any specific ACLs that i should have?  are there any
> glaring issues with the above proposed ACLs?

you should test your acl's with slapacl(8)

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E