[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL to give DN write access to userPassword only under a certain OU.
Hi,
I want to give a certain DN access to userpassword attribute and to be able to delete and add entries from one OU on my LDAP tree.
---
tree-root
..OU=adm
...."DN I want to give rights", lets call it "webmail-domain-xyz".
..OU=people
....cn=10000000000,ou=people,dc=organization,dc=org
---
The DN's "webmail-domain-xyz" will have access will always be the form "cn=10000000000,ou=people,dc=organization,dc=org", where the cn will be from 10000000000 to 19999999999.
My question is related to my ACL's processing:
------------ current working ACL's -----
# ACL 0
access to dn.base="cn=Subschema"
by * read
# ACL 1
access to attrs=userPKCS12
by self write
by * auth
# ACL 2
access to attrs=shadowLastChange
by self write
by * read
# ACL 3
access to attrs=userPassword
by dn="cn=reallysureyouwannauserootdn,dc=organization,dc=org" write
by anonymous auth
by self write
by * none
# ACL 4
access to dn.base=""
by * read
# ACL 5, 6
# (So Dovecot won't look where it's not supposed to, and will not complain about duplicated entries)
access to dn.subtree="ou=moodle001,ou=moodleusers,ou=people,dc=organization,dc=org"
by dn="uid=MoodleLDAPAdmin001,ou=adm,dc=organization,dc=org" write
by dn="uid=dovecot-domain-xyz,ou=adm,dc=organization,dc=org" none
by * read
access to dn.subtree="ou=moodle001,ou=moodlecourses,dc=organization,dc=org"
by dn="uid=MoodleLDAPAdmin001,ou=adm,dc=organization,dc=org" write
by dn="uid=dovecot-domain-xyz,ou=adm,dc=organization,dc=org" none
by * read
# ACL 7
# So webmail related scripts can add new users to LDAP.
access to dn.subtree="ou=people,dc=organization,dc=org"
by dn="uid=webmail-domain-xyz,ou=adm,dc=organization,dc=org" write
by * read
# ACL 8
access to *
by dn="cn=reallysureyouwannauserootdn,dc=organization,dc=org" write
by * read
------------ current working ACL's -----
Q1) This is the ACL I need to add(?):
----- new acl
access to dn.regex="^(.+,)?cn=([^,]+),ou=people,dc=organization,dc=org$" attrs=userPassword
by dn="cn=reallysureyouwannauserootdn,dc=organization,dc=org" write
by dn="uid=webmail-domain-xyz,ou=adm,dc=organization,dc=org" write
by anonymous auth
by self write
by * none
----- new acl
Q2) Since I need these to continue to (co)exist:
- users under OU=people continue to have write access to their userpassword fields
- all other users (that are not under OU=people) to continue to have write access to their userpassword fields.
- the root dn to continue to have write access to everyone's userpassword field
- the webmail-domain-xyz to now have write access to user password fields of the users under OU=people
(QUESTION) this "new acl" needs to go between the current ACL #2 and ACL #3, right?
Since this "new acl" is a subcase of the current ACL #3, I need to put the "new acl" before the ACL #3, and make sure all cases that are _not_ related to the "new acl" do not make a match when the "new acl" is being processed (so they will fall under ACL #3 or go further to the next ACL's). I analized (since a match means "stop processing"):
- the "what"
- everyone else that do not match the "who"
- all DN's under the OU=people
- the root DN
- the webmail DN (new "who" on the scenario)
Q3) If I need to make the regex a little more specific, is this right:
dn.regex="^cn=([^1][0-9]+),ou=people,dc=organization,dc=org$" attrs=userPassword
(to match cn=10000000000,ou=people,dc=organization,dc=org or cn=19999999999,ou=people,dc=organization,dc=org).
Q4) Is ACL #7 gonna be affected by the "new acl"? I mean, if the "webmail-domain-xyz" DN wants do add a new user to OU=people, will ACL processing stop on the "new acl", and never get to the ACL #7? Because the "new acl" only mentions the userPassword attribute, not the right to _add entries under OU=people_.
references to get here:
- man 5 slapd.access
- http://www.openldap.org/lists/openldap-software/200602/msg00077.html
- http://www.openldap.org/lists/openldap-software/200602/msg00080.html
thanks!
=
--
Powered by Outblaze