Rev | Author | # | Line |
---|---|---|---|
6 | PerryLorier | 1 | Open Ldap has very flexible and powerful access controls, however they aren't well documented. Sure there is lots of documentation about them, but none of the documentation says anything *useful*. The most useful part of the documentation I found was the [BNF], but as most people soon realise a [BNF] tells you how, but leaves you n.f.i what is going to happen with a particular grammer. |
2 | |||
3 | Anyhow, I'm going to try and explain the access controls __I__ use (which I think covers most of the more advanced features). | ||
4 | |||
5 | Some points to note before we start (for good luck): | ||
6 | # Order of access's matters. openldap will stop looking on the first one that matches | ||
7 | # Order of by's matters. openldap will stop looking on the first one that matches | ||
8 | |||
9 | So this is the config I use: | ||
10 | access to attribute=userPassword | ||
11 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
12 | by dnattr=owner write | ||
13 | by anonymous auth | ||
14 | by self write | ||
15 | by * none | ||
16 | |||
17 | access to dn=".*,ou=Domains,$BASEDN" | ||
18 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
19 | by dnattr=owner write | ||
20 | by * read | ||
21 | |||
22 | access to * | ||
23 | by group/groupOfUniqueNames/uniqueMember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
24 | by * read | ||
25 | |||
26 | Now, lets go over it step by step. | ||
27 | |||
28 | The first ''access'' is used to protect the ''userPassword'' attribute, which stores passwords. | ||
29 | access to attribute=userPassword | ||
30 | So, this matches anything which has a "userPassword" attribute anywhere in the tree. Simple enough. | ||
31 | |||
32 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
33 | This matches the DN of the person doing the accessing against the uniquemember attribute of groupofuniquenames in the ou=!AdminUsers,ou=Accounts,$BASEDN object and gives them write access. | ||
34 | |||
35 | This is somewhat confusing so lets go over this again. cn=alice,ou=Accounts,$BASEDN wants to modify cn=bob,ou=Accounts,$BASEDN's foo attribute. This looks up the "uniquemember" attribute on ou=!AdminUsers,ou=Accounts,$BASEDN and checks to see if cn=alice,ou=Accounts,$BASEDN is there, and, if so, lets her modify cn=bob,ou=Accounts,$BASEDN's object. | ||
36 | |||
37 | For reference the ou=!AdminUsers,ou=Accounts,$BASEDN object looks like: | ||
38 | dn: ou=!AdminUsers,ou=Accounts,$BASEDN | ||
39 | objectClass: top | ||
40 | objectClass: groupOfUniqueNames | ||
41 | ou: !AdminUsers | ||
42 | uniqueMember: cn=alice,ou=Accounts,$BASEDN | ||
43 | uniqueMember: cn=James Curtis,ou=Accounts,$BASEDN | ||
44 | uniqueMember: cn=Perry Lorier,ou=Accounts,$BASEDN | ||
45 | Adding/Removing people from the uniqueMember relation will grant/revoke their access. | ||
7 | AndreasRother | 46 | |
6 | PerryLorier | 47 | by dnattr=owner write |
48 | This checks to see if the user doing the access appears in the "owner" attribute of the object being modified. For instance, if cn=charlie,ou=Accounts,$BASEDN wanted to access cn=bob,ou=Accounts,$BASEDN's foo attribute, then this sould check to see if cn=charlie,ou=Accounts,$BASEDN appeared in cn=bob,ou=Accounts,$BASEDN's owner attribute first. | ||
49 | |||
50 | by anonymous auth | ||
51 | This lets the anonymous user (a user who hasn't yet logged in) authenticate using the password, but they can't read or write it. | ||
52 | |||
53 | by self write | ||
54 | This lets the user who matches the dn of the object write to the object. For instance if cn=bob,ou=Accounts,$BASEDN wanted to change his password he could (since the object he is accessing is the object he is coming from). | ||
55 | |||
56 | by * none | ||
57 | Noone else must be able to read, or write the password. Fairly simple really. | ||
58 | |||
59 | access to dn=".*,ou=Domains,$BASEDN" | ||
60 | Right, onto the next access. This matches everything under the domains subtree. Note the use of a regex(7) | ||
61 | |||
62 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
63 | Once again, anyone in the !AdminUsers group can modify this tree. | ||
64 | |||
65 | by dnattr=owner write | ||
66 | And, the person that owns this object can modify it. | ||
67 | |||
68 | by * read | ||
69 | And, by default anyone can read this. | ||
70 | |||
71 | access to * | ||
72 | Now, for everything else in the tree (a catchall). Note that this is just "*", it doesn't have to be ".*" | ||
73 | |||
74 | by group/groupOfUniqueNames/uniqueMember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
75 | Admins can write, because admins are power tripping egomaniacs with something to prove. | ||
76 | |||
77 | by * read | ||
78 | And everyone else can look but not touch, you never know when some user is going to accidently destroy your entire tree, so you'd rather not give them the opertunity. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()