[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap user management



Hello john


Jon Roberts wrote:

Matthieu wrote:


It depends on how you set your access control up. For example you can refer
to all authenticating users in an ACL with the who field set to "auth".

Or their is another way to add access rights in the server management?
Furthermore, does you know some specific ressources about users rights
access on ldap?


man slapd.access


thanks for your tips.
I'd read the theory about the settings permissions, but I can't found
some examples to set up good rules.
I can set up rules, but schema seems a bit complex for me, and would
like to view some goood ways to set up rules.
for example, in firewalling rules, their is somes ways to set up good
rules, I suppose that in the ldap security permissions too.
But there is some points that I don't understand or are still dark, to
set up theses rules.

My ldap directory is based only on one backend db.
dc=localhost,dc=localdomain

Three organizational units are subtree. two of them are dedicated to
contacts: professional dedicated to professionnal contacts, and
personnal.
users security account that I would like to give them an access are in
a third organisationalUnit, called accounts


dn: dc=localhost,dc=localdomain
objectClass: top
objectClass: dcObject
objectClass: organization
o: datas
dc: localhost

dn: ou=personnal,dc=localhost,dc=localdomain
ou: personnal
objectClass: top
objectClass: organizationalUnit

dn: ou=LED ZEPPELIN,ou=personnal,dc=localhost,dc=localdomain
ou: LED ZEPPELIN
objectClass: top
objectClass: organizationalUnit

dn: ou=professionnal,dc=localhost,dc=localdomain
objectClass: top
objectClass: organizationalUnit
ou: professionnal

dn: ou=JIMI HENDRIX EXPERIENCE,ou=professionnal,dc=localhost,dc=localdomain
ou: JIMI HENDRIX EXPERIENCE
objectClass: top
objectClass: organizationalUnit
####################

dn: ou=access account,dc=localhost,dc=localdomain
objectClass: top
objectClass: organizationalUnit
ou: access account
####################

dn: ou=personnal,ou=access account,dc=localhost,dc=localdomain
objectClass: top
objectClass: organizationalUnit
ou: personnal

dn: cn=Robert PLANT,ou=personnal,ou=access account,dc=localhost,dc=localdomain
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: Robert
sn: PLANT
cn: Robert PLANT
mail: robert.plant@ledzeppelin.com

#####################

dn: ou=professionnal,ou=access account,dc=localhost,dc=localdomain
objectClass: top
objectClass: organizationalUnit
ou: professionnal

dn: cn=Jimi HENDRIX,ou=professionnal,ou=access
account,dc=localhost,dc=localdomain
objectClass: top
objectClass: inetOrgPerson
sn: Jimi
givenName: HENDRIX
cn: Foo HENDRIX

#####################

dn: ou=all,ou=access account,dc=localhost,dc=localdomain
objectClass: top
objectClass: organizationalUnit
ou: all

dn: cn=DYLAN,ou=all,ou=access account,dc=localhost,dc=localdomain
objectClass: inetOrgPerson
objectClass: top
sn: bob
cn: DYLAN


Here's what I would like to allow:
registered users with their account in accounts organisationalUnit can
acces to the related organizationalUnit
for example,

Robert PLANT can login, and read  ou=personnal,dc=localhost,dc=localdomain
and under
Jimi HENDRIX can login and read
ou=professionnal,dc=localhost,dc=localdomain  and under
and Bob DYLAN can login and read all subtrees behind
dc=localhost,dc=localhdomain

Even if this is foo examples, perhaps my model is not well done.?
But I can't found some good ressources to write correct access rules without
leaving security holes or unappropriated permissions.
I've try for long days to set up theses rules, without succes.
Perhaps someone can give me the first steps to set up these rules? Not
writing them, just the begginning?
Sorry for theses newbie problems, I search just to do good job...
best regards