[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl fun



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Primary LDAP server - posixAccount/sambaSamAccount logins
>
> I'm trying to secure things - does this make sense?
> Is there a better way that I might learn something from this?
>
> access to dn=".*,o=Domain,c=US" attr=userPassword
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
> by users write

all users can write eachothers passwords... you might want to change the last 
line to 'by self write'.
>
> access to dn="ou=People,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
> by self write

dn defaults to dn.regex.
the string "ou=People,o=Domain,c=US" appears also in the rules below, so they 
won't be evaluated. Use. dn.exact or dn.base depending on the version of OL 
you are using. dn.exact has my preference.
>
> access to dn="uid=*,ou=People,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
> by users write

users can write in eachtothers entry.
Maybe change the last line into two lines:
  by self write
  by users read
so users will only be able to read  eachothers entries.

>
> access to dn="ou=Groups,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
>
> access to dn="ou=Computers,o=Domain,c=US"
> by dn="cn=root,o=Domain,c=US" write
> by dn="cn=admin,ou=People,o=Domain,c=US" write
>
> access to dn=".*,o=Domain,c=US"
> by * none
>
> Thanks
> Craig

_Ace

- -- 
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/+8ovy7boE8xtIjURAvgjAKCNtbrlK+yevx/45LEyCOnS2LgMvQCfZ8mF
siyicw9TPCSmItSiuZ8XCok=
=+ixW
-----END PGP SIGNATURE-----