[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Clarification

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: ACL Clarification
From: Alexander Samad <alex@samad.com.au>
Date: Tue, 25 Jul 2006 11:53:55 +1000
Content-disposition: inline
In-reply-to: <44C54FED.9040305@nsd.org>
References: <44C54FED.9040305@nsd.org>
User-agent: Mutt/1.5.11+cvs20060403

On Mon, Jul 24, 2006 at 03:55:41PM -0700, Ski Kacoroski wrote:
> Ok,
> 
> I think I it mostly figured out for my particular case.  I would 
> appreciate any comments (and improvements) on the following set of ACLs 
> which limit access to a staff object in my directory.  I am very 
> interested if there is a best practice way on how to provide different 
> levels of access to different attributes of an object.  Once I get this 
> down, I will add something the FAQ.  Thanks in advance for your help.
> 

I have line at the top of my access file like this (change for your
config)
access to *
   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
        by * break

instead of having to add it in on each access statement !


> # Basic setup ACL's
> # Allow everyone to access base dn to set up a connection
> access to dn.base=""
>   by * read
> 
> # Allow everyone to access all entries
> access to attrs=entry
>   by self write
>   by * read
> 
> # password only can be changed by self and admins
> access to attrs=userPassword
>   by anonymous auth
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by self write
>   by * none
> 
> # Staff tree ACLs
> # everyone can read these attributes, admins can write
> access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" 
> attrs=cn,givenName,sn,mail,displayName
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by * read
> 
> # everyone can read these attributes, admins and self can write
> access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" 
> attrs=nsdPrefLastName,nsdPrefFirstName
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by self write
>   by * read
> 
> # all authenticated people can read, admins can write
> access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" 
> attrs=nsdMobilePhone,nsdAltPhone,nsdGeneralPhone,nsdPhoto
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by users read
>   by * search
> 
> # all authenticated people can read, admins & self can write
> access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" 
> attrs=nsdPersonalEmail,nsdPersonalPhone,nsdPersonalMobilePhone
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by self write
>   by users read
>   by * search
> 
> # self can read these attributes, admins can write
> access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" 
> attrs=nsdEmployeeNumber,nsdBargainUnit,nsdPCN
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by self read
>   by * search
> 
> # for everything else, only admins can read & write
> access to *
>   by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
>   by * search
> 
> cheers,
> 
> ski
> 
> -- 
> "When we try to pick out anything by itself, we find it
>  connected to the entire universe"            John Muir
> 
> Chris "Ski" Kacoroski, ski@nsd.org, 206-501-9803
>

Attachment: signature.asc
Description: Digital signature

References:
- ACL Clarification
  - From: Ski Kacoroski <ckacoroski@nsd.org>

Prev by Date: Make test error
Next by Date: Re: ACL's and dynlist confusion
Index(es):
- Chronological
- Thread