[Date Prev][Date Next] [Chronological] [Thread] [Top]

yet another ACL question



I want to run the ACLs on my OpenLDAP server with the same philosophy as
anything else that requires access control:  That which is not expressly
permitted is expressly denied.

I seem to be having some problems achieving this goal however.  It seems
like some of my problems is with regard to attributes and entries that
the server itself provides.

If I have the following DNs in my database:

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: Exmaple
dc: example

# People, example.com
dn: ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People

# Contacts, People, example.com
dn: ou=Contacts,ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
ou: People

# foobar, People, example.com
dn: uid=foo,ou=People,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: kerberosSecurityObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
uid: foobar
sn: Bar
cn: Foo Bar
krbName: foobar
uidNumber: 9998
gidNumber: 9998
homeDirectory: null
userPassword:: xxxxxxxx
title: President

# barfoo, People, example.com
dn: uid=barfoo,ou=People,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: Bar Foo
uid: barfoo
uidNumber: 9999
gidNumber: 9999
homeDirectory: null
userPassword:: xxxxx
title: Network Administrator
sn: Foo

# Contacts, foobar, People, example.com
dn: ou=Contacts,uid=foobar,ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts

# Contacts, barfoo, People, example.com
dn: ou=Contacts,uid=barfoo,ou=People,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Contacts
ou: People

# Dave Jones, Contacts, foobar, People, example.com
dn: cn=Dave Jones,ou=Contacts,uid=foobar,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Dave Jones
sn: Jones
o: Acme Widgets
mail: dave@example.com

# Dave Smith, Contacts, barfoo, People, example.com
dn: cn=Dave Smith,ou=Contacts,uid=barfoo,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Dave Smith
sn: Smith
mail: smith@exmaple.com
o: Acme Widgets

# Brad Sharps, Contacts, People, example.com
dn: cn=Brad Sharps,ou=Contacts,ou=People,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Brad Sharps
givenName: Brad
sn: Sharpe
o: Acme Widgets

So I have come up with the following (suboptimal) ACL:

# Access to the Root DSE (what is this, pointers to an explanation much
# welcome)
access to dn=""
	by * read

# for authentication and users to change their passwords
access to dn=".*,dc=example,dc=com" attr=userPassword
	by dn="cn=Manager,dc=example,dc=com" write
	by self write
	by * auth

# Global contact list writable by "contacts administrator" but readable by
# any authenticated user
access to dn="ou=Contacts,ou=People,dc=examaple,dc=com"
        by dn="uid=barfoo,ou=People,dc=example,dc=com" write
        by dn="uid=[^,]*,ou=People,dc=example,dc=com" read

# Users can read and write their personal contacts
access to dn="ou=Contacts,uid=([^,]*),ou=People,dc=example,dc=com"
	by dn="uid=$1,ou=People,dc=example,dc=com" write

# everything else is denied
access to *
	by * none

But this ACL causes several problems.  One of which is that GQ does not
seem to like it so much.  I don't see full schemas or details about
attributes (i.e. for userPassword, the pulldown selector for password
"type")

My goal with this ACL is that users authenticated in ou=People,...
should be able to view global contacts (ou=Contacts,ou=People,...) and
view and edit their personal contacts
(ou=Contacts,uid=[^,]*,ou=People,...) but not read or write anything
else in the directory.

What details am I missing"?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell

Attachment: signature.asc
Description: This is a digitally signed message part