[Date Prev][Date Next] [Chronological] [Thread] [Top]

speeding up searches and better security - access lists

To: openldap-software@OpenLDAP.org
Subject: speeding up searches and better security - access lists
From: "Ben Booble" <oneoutof100@hotmail.com>
Date: Mon, 24 Jan 2005 23:36:17 +0000

Hi all,

I have a question regarding access lists. I have read the man pages and manuals but I am still unclear as to how I can use the stop and break arguments in an access list. I am assuming that that will speed up my searches. Also, from a plain security point of view, where is this list wrong? dn: cn=admin is the user to bind for auth with imap, samba, sasl.

Your help would be much appreciated.

Thanks.
Ben

access to dn.subtree="ou=Utiba,ou=People,dc=cpc" attr=userPassword
       by anonymous auth
       by dn="cn=admin,ou=People,dc=cpc" auth
       by self write
       by dn="uid=root,ou=System,ou=People,dc=cpc" write
       by group="cn=sysadmin,ou=grpUtiba,ou=Group,dc=cpc" write

access to dn.subtree="ou=Contacts,ou=People,dc=cpc"
       by users read
       by self write
       by * write
       by group="cn=utiba,ou=grpUtiba,ou=Group,dc=cpc" write
       by anonymous read

access to dn.subtree="ou=People,dc=cpc" attrs=loginShell,uid,cn,sn,uidNumber,gidNumber,userPassword,mailMessageStore,mailHost,accountStatus,homeDirectory,amavisVirusLover,amavisBannedFilesLover,amavisBypassVirusChecks,amavisBypassSpamChecks,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel,amavisSpamModifiesSubj,amavisWhitelistSender,amavisBlacklistSender,mailForwardingAddress by anonymous read by users read by self write by dn="cn=admin,ou=People,dc=cpc" write by dn="uid=root,ou=System,ou=People,dc=cpc" write by group="cn=sysadmin,ou=grpUtiba,ou=Group,dc=cpc" write

access to dn.subtree="ou=auto.home,dc=cpc"
       by anonymous read
       by self write

access to dn=.*
       by anonymous read
       by dn="uid=root,ou=System,ou=People,dc=cpc" write
       by dn="uid=admin,ou=System,ou=People,dc=cpc" write
       by dn="cn=sysadmin,ou=grpUtiba,ou=Group,dc=cpc" write

access to dn.exact=""
       by * read

(rest pretty much supplied with mandrake openldap)
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory
       by self write
       by dn.exact,expand="uid=root,ou=System,ou=People,$2" write
       by group="cn=Domain Controllers,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by anonymous auth
       by * none
access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
       attrs=entry,children,posixAccount,sambaAccount,sambaSamAccount
       by dn.exact,expand="uid=root,ou=System,ou=People,$2" write
       by group="cn=Domain Controllers,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by users read
       by anonymous read
access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
       attrs=inetOrgPerson,mail
       by self write
       by dn.exact,expand="uid=root,ou=System,ou=People,$2" write
       by group="cn=Domain Controllers,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by users read
       by anonymous read
access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$"
       attrs=entry,children,posixGroup,sambaGroupMapping
       by dn.exact,expand="uid=root,ou=System,ou=People,$2" write
       by group="cn=Domain Controllers,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by users read
       by anonymous read
access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$"
       attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
       by dn.exact,expand="uid=root,ou=System,ou=People,$2" write
       by group="cn=Domain Controllers,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by users read
       by anonymous read
access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
       attrs=entry,children,sambaIdmapEntry
       by dn.exact,expand="uid=root,ou=System,ou=People,$2" write
       by group="cn=Domain Controllers,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by users read
       by anonymous read
access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
      attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
       by dn="uid=[^,]+,ou=People,$2" write
       by group="cn=Replicator,ou=Group,$2" write
       by group="cn=Domain Admins,ou=grpSystem,ou=Group,$2" write
       by users read
       by anonymous read

_________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Prev by Date: Re: CA and LDAP
Next by Date: Re: slapcat vs. ldapsearch
Index(es):
- Chronological
- Thread