[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL questions. Answered (long)



On Thu, 11 Mar 2004, Diego Julian Remolina wrote:

> Hi Howard,
> 
> Adding "by * read" instead of "by * auth break" works correctly, thanks
> for all your help.
> 
> Here is the final ACL that works for the purpose of clarifying to the
> list:
> 
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * auth
> 
> # Allow users to change their login shell by themselves
> access to attrs=loginShell
>         by self write
> 
> # Allow uid=Sambaroot to write any samba entries and objecClass to
> children
> # of ou=People.
> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=objectClass,sambaSamAccount
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * read
> 
> # Allow uid=Sambaroot to write the mentioned attributes in ou=Groups
> access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
> attrs=description,sambaSID,sambaGroupType,displayName,objectClass
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * read
> 
> # Allow uid=Sambaroot to write the objectClass and samba attributes to
> # children of ou=Host
> access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
> attrs=objectClass,sambaSamAccount
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * read
> 
> # Allow uid=Sambaroot to write to all children of ou=Idmap
> access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * read
> 

As I read this, it seems you allow Sambaroot to modify entries below 
ou=Idmap, but, since Sambaroot does nothave write access to ou=Idmap, 
surely you will get the "no write access to parent" error if samba tries 
to add an idmap entry? The same issue applies to ou=Hosts does it not? 
This would mean joining machines "on-the-fly" would not work ...

> # Now we restrict uid=Sambaroot so that this user cannot erase things
> access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
>         by * read
> 
> # We also allow uid=Sambaroot to add the sambaDomainName entry under the
> # database root (same level as rootdn).
> access to dn.subtree="dc=math,dc=gatech,dc=edu"
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * read
> 

Don't you want to prevent uid=Sambaroot from making entries which aren't 
sambaDomain's? ie:
access to dn.subtree="dc=math,dc=gatech,dc=edu"
	attrs=sambaDomain
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

But, then again we may have the "no write access to parent" ?


> # Then we grant access to read everything else.
> access to *
>         by * read

Finally, I am wondering about supporting a multi-samba-domain 
implementation (yes, I know there are other ways) without duplicating 
ACLs. ie, how would I make generic ACLs work for this kind of setup?

I have tried things like:
access to dn="^(.*,)+ou=Hosts,(dc=.+,)+$$"
	attrs=objectClass,sambaSamAccount
        by dn="uid=Sambaroot,ou=People,$2$$" write
	by * read

(as far as I understand, something like this can only be done with 
dn.regex, not dn.children?).

Regards,
Buchan