I want to run the ACLs on my OpenLDAP server with the same philosophy as anything else that requires access control: That which is not expressly permitted is expressly denied. I seem to be having some problems achieving this goal however. It seems like some of my problems is with regard to attributes and entries that the server itself provides. If I have the following DNs in my database: # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Exmaple dc: example # People, example.com dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People # Contacts, People, example.com dn: ou=Contacts,ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Contacts ou: People # foobar, People, example.com dn: uid=foo,ou=People,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: kerberosSecurityObject objectClass: posixAccount objectClass: shadowAccount objectClass: top uid: foobar sn: Bar cn: Foo Bar krbName: foobar uidNumber: 9998 gidNumber: 9998 homeDirectory: null userPassword:: xxxxxxxx title: President # barfoo, People, example.com dn: uid=barfoo,ou=People,dc=example,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top cn: Bar Foo uid: barfoo uidNumber: 9999 gidNumber: 9999 homeDirectory: null userPassword:: xxxxx title: Network Administrator sn: Foo # Contacts, foobar, People, example.com dn: ou=Contacts,uid=foobar,ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Contacts # Contacts, barfoo, People, example.com dn: ou=Contacts,uid=barfoo,ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Contacts ou: People # Dave Jones, Contacts, foobar, People, example.com dn: cn=Dave Jones,ou=Contacts,uid=foobar,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Dave Jones sn: Jones o: Acme Widgets mail: dave@example.com # Dave Smith, Contacts, barfoo, People, example.com dn: cn=Dave Smith,ou=Contacts,uid=barfoo,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Dave Smith sn: Smith mail: smith@exmaple.com o: Acme Widgets # Brad Sharps, Contacts, People, example.com dn: cn=Brad Sharps,ou=Contacts,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Brad Sharps givenName: Brad sn: Sharpe o: Acme Widgets So I have come up with the following (suboptimal) ACL: # Access to the Root DSE (what is this, pointers to an explanation much # welcome) access to dn="" by * read # for authentication and users to change their passwords access to dn=".*,dc=example,dc=com" attr=userPassword by dn="cn=Manager,dc=example,dc=com" write by self write by * auth # Global contact list writable by "contacts administrator" but readable by # any authenticated user access to dn="ou=Contacts,ou=People,dc=examaple,dc=com" by dn="uid=barfoo,ou=People,dc=example,dc=com" write by dn="uid=[^,]*,ou=People,dc=example,dc=com" read # Users can read and write their personal contacts access to dn="ou=Contacts,uid=([^,]*),ou=People,dc=example,dc=com" by dn="uid=$1,ou=People,dc=example,dc=com" write # everything else is denied access to * by * none But this ACL causes several problems. One of which is that GQ does not seem to like it so much. I don't see full schemas or details about attributes (i.e. for userPassword, the pulldown selector for password "type") My goal with this ACL is that users authenticated in ou=People,... should be able to view global contacts (ou=Contacts,ou=People,...) and view and edit their personal contacts (ou=Contacts,uid=[^,]*,ou=People,...) but not read or write anything else in the directory. What details am I missing"? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
Attachment:
signature.asc
Description: This is a digitally signed message part