[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL sanity check
Am Sat, 16 May 2015 16:39:47 -0400
schrieb Brendan Kearney <bpk678@gmail.com>:
> i am looking to improve my access controls, and wanted to make sure
> the below passes muster and sanely implements what i am looking for.
>
> 0 - ldap admins get access to the entire directory
> {0}to dn.subtree="dc=bpk2,dc=com"
> by
> group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> manage by anonymous auth
> by * none
>
> 1 - kerberos id get only the access they need
> {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
> by dn="cn=kadmin,dc=bpk2,dc=com" write
> by dn="cn=kdc,dc=bpk2,dc=com" read
> by * none
>
> 2 - dns engineers, admins and dns process accounts get access
> {2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com"
> by
> group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> manage
> by
> group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> write by
> group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com"
> write
> by * none
>
> 3 - dhcp engineers, admins and dhcp process accounts get access
> {3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com"
> by
> group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> manage
> by
> group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> write by
> group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com"
> read
> by * none
>
> 4 - dhcp engineers, admins and dhcp process accounts get access
> {4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com"
> by
> group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> manage
> by
> group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
> write by
> group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com"
> read
> by * none
>
> 5 - users can read this ou
> {5}to dn.subtree="ou=Computers,dc=bpk2,dc=com"
> by users read
> by * none
>
> 6 - users can read this ou
> {6}to dn.subtree="ou=Groups,dc=bpk2,dc=com"
> by users read
> by * none
>
> 7 - users can read this ou
> {7}to dn.subtree="ou=Networks,dc=bpk2,dc=com"
> by users read
> by * none
>
> 8 - users can read this ou
> {8}to dn.subtree="ou=Users,dc=bpk2,dc=com"
> by users read
> by * none
>
> are there any specific ACLs that i should have? are there any
> glaring issues with the above proposed ACLs?
you should test your acl's with slapacl(8)
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E