[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access Control by Organizational Unit?
Heather Lockridge writes:
> Is the ssf=128 a "Seecurity Strength Factor" which
> means the same as self write?
Huh. That needs better documentation. No, ssf=128 means that the
access is only granted over TLS/SSL connections. So it doesn't work to
e.g. bind with the correct password over an unencrypted connection.
>> access to dn.regex="[^,]*,(ou=.*)"
>> by dn.regex="cn=Directory Manager,$1" write
>> by * read
>>
>> access to dn.regex="(ou=.*)" attr=children
>> by dn.regex="cn=Directory Manager,$1" write
>> by * read
>>
>> The "[^,]*," says that the directive applies to
>> entries directly below
>> the ou. It will not work if the OU contains entries
>> with "," in their
>> RDN. Or if you want to give the manager access to
>> subtrees below the
>> OU, and you do not have OUs below OUs, use
>> 'dn.regex=.*,(ou=.*)'. If
>
> Why are there two "access to" statements? The first
> seems to say, "let the person who has the cn of
> "Directory Manager" have write access to anything in
> the OU of which he is a part, and let others read
> only.
Write access to _already existing_ entries in the OU.
At least that's what I seem to remember it does; I haven't
actually checked if the "attr=children" rule is necessary.
> I am not clear about what the second one does,
> the one with "attr=children"
Access to add and delete children of the OU.
>> What the first directive should look like depends on who should be
>> able to access userPassword in which manner. (...)
>
> I certainly do
> want the "Directory Manager" to be able to
> update/change the password after creating it.
OK, then keep it as it is.
> I am
> not sure what you refer to when you say "delete the
> parts about dn.regex for userPassword" as I don't see
> those above.
I meant to delete 'dn.regex="[^,]*,(ou=.*)"' in front of
attr=userPassword, and 'by dn.regex="cn=Directory Manager,$1" ssf=128
write'. But never mind, you want to keep them.
OTOH, maybe you want to delete 'self ssf=128 write', if _users_ should
not be able to update their passwords:-)
> While I could use Directory Manager for the cn of the
> empowered person in each OU, is there a way to do all
> this with their real name?
I may have missed a way, but the only way I can think of is
to use OpenLDAPACI.
> Lastly, I am thinking of OU in the context of
> department like Engineering, Fabrication, etc. It
> might be necessary to have an OU in Engineering for
> New Mexico, and one for Oregon. But, in this case,
> the one "Directory Manager" fr the Engineering OU
> would need to be able to manage all entries in the
> Engineering OU as well as the the sub OU of New Mexico
> and the sub OU of Oregon.
If both Directory Manager,Oregon,Engineering and Directory
Manager,Engineering should have access, use something like
access to dn.regex="[^,]*,(ou=.*,(ou=.*))"
by dn.regex="cn=Directory Manager,$1" write
by dn.regex="cn=Directory Manager,$2" write
by * read
access to dn.regex="[^,]*,(ou=.*)"
by dn.regex="cn=Directory Manager,$1" write
by * read
If there is no Directory Manager,Oregon,Engineering, maybe
you want
access to dn.regex=".*,(ou=.*)"
by dn.regex="cn=Directory Manager,$1" write
by * read
These regexps assume there is no OU above Engineering. If your
organizational structure is more complicated, such ACLs will quickly get
hairy and error-prone, so maybe the OpenLDAPaci approach is better.
OpenLDAPaci is described in
<http://www.openldap.org/faq/data/cache/634.html>, though that is a bit
outdated. It does not mention that 'public' grants everyone access,
e.g. 'OpenLDAPaci: 2.0#entry#grant;c,r,s,x;[all],[entry]#public#'.
--
Hallvard