[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL questions. Answered (long)
On Thu, 11 Mar 2004, Diego Julian Remolina wrote:
> Hi Howard,
>
> Adding "by * read" instead of "by * auth break" works correctly, thanks
> for all your help.
>
> Here is the final ACL that works for the purpose of clarifying to the
> list:
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * auth
>
> # Allow users to change their login shell by themselves
> access to attrs=loginShell
> by self write
>
> # Allow uid=Sambaroot to write any samba entries and objecClass to
> children
> # of ou=People.
> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=objectClass,sambaSamAccount
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
> # Allow uid=Sambaroot to write the mentioned attributes in ou=Groups
> access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
> attrs=description,sambaSID,sambaGroupType,displayName,objectClass
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
> # Allow uid=Sambaroot to write the objectClass and samba attributes to
> # children of ou=Host
> access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
> attrs=objectClass,sambaSamAccount
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
> # Allow uid=Sambaroot to write to all children of ou=Idmap
> access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
As I read this, it seems you allow Sambaroot to modify entries below
ou=Idmap, but, since Sambaroot does nothave write access to ou=Idmap,
surely you will get the "no write access to parent" error if samba tries
to add an idmap entry? The same issue applies to ou=Hosts does it not?
This would mean joining machines "on-the-fly" would not work ...
> # Now we restrict uid=Sambaroot so that this user cannot erase things
> access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
> by * read
>
> # We also allow uid=Sambaroot to add the sambaDomainName entry under the
> # database root (same level as rootdn).
> access to dn.subtree="dc=math,dc=gatech,dc=edu"
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
Don't you want to prevent uid=Sambaroot from making entries which aren't
sambaDomain's? ie:
access to dn.subtree="dc=math,dc=gatech,dc=edu"
attrs=sambaDomain
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
But, then again we may have the "no write access to parent" ?
> # Then we grant access to read everything else.
> access to *
> by * read
Finally, I am wondering about supporting a multi-samba-domain
implementation (yes, I know there are other ways) without duplicating
ACLs. ie, how would I make generic ACLs work for this kind of setup?
I have tried things like:
access to dn="^(.*,)+ou=Hosts,(dc=.+,)+$$"
attrs=objectClass,sambaSamAccount
by dn="uid=Sambaroot,ou=People,$2$$" write
by * read
(as far as I understand, something like this can only be done with
dn.regex, not dn.children?).
Regards,
Buchan