[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Clarification

To: Ski Kacoroski <ckacoroski@nsd.org>
Subject: Re: ACL Clarification
From: Atom Powers <apowers@digipen.edu>
Date: Tue, 25 Jul 2006 08:24:59 -0700
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <44C54FED.9040305@nsd.org>
References: <44C54FED.9040305@nsd.org>
User-agent: Thunderbird 1.5.0.4 (Windows/20060516)

Ski Kacoroski wrote:

Ok,
I think I it mostly figured out for my particular case. I would appreciate any comments (and improvements) on the following set of ACLs which limit access to a staff object in my directory. I am very interested if there is a best practice way on how to provide different levels of access to different attributes of an object. Once I get this down, I will add something the FAQ. Thanks in advance for your help.

Not relevant to your ACLs, but something to put in the FAQ: every ACL is followed by an implicit "by * none", so any ACL later in the list which applies in the same scope as a previous ACL will not be effective. (So if you were to put your last ACL, below, first then it would be the only one that was effective unless you specified "by * break".)

# Basic setup ACL's
# Allow everyone to access base dn to set up a connection
access to dn.base=""
  by * read
# Allow everyone to access all entries
access to attrs=entry
  by self write
  by * read
# password only can be changed by self and admins
access to attrs=userPassword
  by anonymous auth
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by self write
  by * none
# Staff tree ACLs # everyone can read these attributes, admins can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=cn,givenName,sn,mail,displayName by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by * read

# everyone can read these attributes, admins and self can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPrefLastName,nsdPrefFirstName by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by self write by * read

# all authenticated people can read, admins can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdMobilePhone,nsdAltPhone,nsdGeneralPhone,nsdPhoto by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by users read by * search

# all authenticated people can read, admins & self can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdPersonalEmail,nsdPersonalPhone,nsdPersonalMobilePhone by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by self write by users read by * search

# self can read these attributes, admins can write access to dn.subtree="ou=staff,ou=People,dc=nsd,dc=org" attrs=nsdEmployeeNumber,nsdBargainUnit,nsdPCN by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write by self read by * search
# for everything else, only admins can read & write
access to *
  by group/nsdGrp/memberURL="cn=Admins,ou=Groups,dc=nsd,dc=org" write
  by * search
cheers,
ski


--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--
Systems Administrator
DigiPen Institute of Technology
(425) 895-4443

References:
- ACL Clarification
  - From: Ski Kacoroski <ckacoroski@nsd.org>

Prev by Date: Re: rewrite insight needed
Next by Date: Re: error with openldap upgrade
Index(es):
- Chronological
- Thread