[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Clarification

To: OpenLDAP-software@OpenLDAP.org
Subject: ACL Clarification
From: Ski Kacoroski <ckacoroski@nsd.org>
Date: Mon, 24 Jul 2006 15:55:41 -0700
User-agent: Thunderbird 1.5.0.4 (X11/20060516)

Ok,

I think I it mostly figured out for my particular case. I would appreciate any comments (and improvements) on the following set of ACLs which limit access to a staff object in my directory. I am very interested if there is a best practice way on how to provide different levels of access to different attributes of an object. Once I get this down, I will add something the FAQ. Thanks in advance for your help.

# Basic setup ACL's
# Allow everyone to access base dn to set up a connection
access to dn.base=""
  by * read

# Allow everyone to access all entries
access to attrs=entry
  by self write
  by * read

# password only can be changed by self and admins
access to attrs=userPassword
  by anonymous auth
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by self write
  by * none

# Staff tree ACLs # everyone can read these attributes, admins can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=cn,givenName,sn,mail,displayName by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by * read

# everyone can read these attributes, admins and self can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPrefLastName,nsdPrefFirstName by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by self write by * read

# all authenticated people can read, admins can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdMobilePhone,nsdAltPhone,nsdGeneralPhone,nsdPhoto by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by users read by * search

# all authenticated people can read, admins & self can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPersonalEmail,nsdPersonalPhone,nsdPersonalMobilePhone by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by self write by users read by * search

# self can read these attributes, admins can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdEmployeeNumber,nsdBargainUnit,nsdPCN by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by self read by * search

# for everything else, only admins can read & write
access to *
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by * search

cheers,

ski

--
"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803

Follow-Ups:
- Re: ACL Clarification
  - From: Alexander Samad <alex@samad.com.au>
- Re: ACL Clarification
  - From: Atom Powers <apowers@digipen.edu>

Prev by Date: Re: ACL's and dynlist confusion
Next by Date: Make test error
Index(es):
- Chronological
- Thread