[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL sanity check

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: ACL sanity check
From: Brendan Kearney <bpk678@gmail.com>
Date: Sat, 16 May 2015 16:39:47 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=Qthid+pgaN25t3v1SbwxX5yulX+GOuAxFF50rIuSIP4=; b=TLHhq7oEyfR1NzrggMwNs2/6VEv4dJ2bp+y9whFFb3qvOvpu6GTiTpmYPXg6tAGXoQ UbHYp81qD6CaFhWRnYm9LxB93oQDQuPHdjF8h/HNgcX7fKNuA3yLMm1agmr2CYZKyl6u hzka2c3QmhYLk7yMA5dGbaEAFFcWiMgPGr2rX8XefHVpMx3fPRhtG9egzesmsaW+r2Sg bsF9gT57dqJirceMc9uyRf7som68uvrcSqT/J2SZo97g8Wd1cza5Z4TTd7hgEs/U2gwn KsjgTeqIiuu0OviiVPnE7wzpqoKOJ1BuWHz/uo5m/3OzTviv8WfhWhFOeLcMJqbkX9wt wU4g==
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

i am looking to improve my access controls, and wanted to make sure thebelow passes muster and sanely implements what i am looking for.


0 - ldap admins get access to the entire directory
{0}to dn.subtree="dc=bpk2,dc=com"

bygroup.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage

        by anonymous auth
        by * none

1 - kerberos id get only the access they need
{1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
        by dn="cn=kadmin,dc=bpk2,dc=com" write
        by dn="cn=kdc,dc=bpk2,dc=com" read
        by * none

2 - dns engineers, admins and dns process accounts get access
{2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com"

bygroup.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"managebygroup.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" writebygroup.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com"write

        by * none

3 - dhcp engineers, admins and dhcp process accounts get access
{3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com"

bygroup.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"managebygroup.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" writebygroup.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com"read

        by * none

4 - dhcp engineers, admins and dhcp process accounts get access
{4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com"

        by * none

5 - users can read this ou
{5}to dn.subtree="ou=Computers,dc=bpk2,dc=com"
        by users read
        by * none

6 - users can read this ou
{6}to dn.subtree="ou=Groups,dc=bpk2,dc=com"
        by users read
        by * none

7 - users can read this ou
{7}to dn.subtree="ou=Networks,dc=bpk2,dc=com"
        by users read
        by * none

8 - users can read this ou
{8}to dn.subtree="ou=Users,dc=bpk2,dc=com"
        by users read
        by * none

are there any specific ACLs that i should have? are there any glaringissues with the above proposed ACLs?

Follow-Ups:
- Re: ACL sanity check
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: How to check the login history of users on openldap
Next by Date: Re: Openldap password problems
Index(es):
- Chronological
- Thread