[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL review: did I get it right?



I just finished banging out the following ACL by closely watching the
debug output and tweaking when I found denies that correlated to
mis-behaviour by the tool "gc":

#access to *
#        by * read

# Need to provide access to the Root DSE and Subschema
# (gq uses them for example)
access to dn.base=""
	by users read
access to dn.base="cn=Subschema"
	by users read

#access to filter="(objectClass=*)"
#	by users read
#	by * search

access to dn.base="dc=example,dc=com" attr=objectClass
	by users search

access to dn.base="ou=People,dc=example,dc=com" attr=objectClass,entry
	by users read

access to dn="ou=Contacts,ou=People,dc=example,dc=com$"
        by dn.base="uid=ContactsAdmin,ou=People,dc=example,dc=com" write
	by users read

# Allow anyone to try to authorize and owners and the Manager to write
access to dn="^uid=[^,]+,ou=People,dc=example,dc=com$" attr=userPassword
	by dn="cn=Manager,dc=example,dc=com" write
	by self write
	by * auth

# users have full access to their entire subtree
# (DO NOT enable access to their entry or they could change, for example,
# their uid/gid)
access to dn=".+,uid=([^,]+),ou=People,dc=example,dc=com$"
	by dn="^uid=$1,ou=People,dc=example,dc=com$" write

# not needed (yet)
#access to dn=".*,dc=example,dc=com" attr=mail
#        by dn="cn=Manager,dc=example,dc=com" write
#        by self write
#        by users read

## Manager can write to all
#access to dn=".*,dc=example,dc=com"
#        by dn="cn=Manager,dc=example,dc=com" write
#        by * none

# Nothing else!
access to *
	by * none

The goal is to give read access to "ou=Contacts,ou=People..." to
everyone, but allow "uid=ContactsAdmin,ou=People..." to edit contact
information in that tree.

Also, users (under ou=People...) should have write access to everything
under their "uid" entry, but not their entry (lest they change things
like uid/gid etc.)

Everything else should be no access to anyone (except the rootdn of
course).

Is there anything above that I am missing/got wrong, or you would do
differently?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell

Attachment: signature.asc
Description: This is a digitally signed message part