Penguin
Blame: OpenLdapAccessControls
EditPageHistoryDiffInfoLikePages
Annotated edit history of OpenLdapAccessControls version 8, including all changes. View license author blame.
Rev Author # Line
6 PerryLorier 1 Open Ldap has very flexible and powerful access controls, however they aren't well documented. Sure there is lots of documentation about them, but none of the documentation says anything *useful*. The most useful part of the documentation I found was the [BNF], but as most people soon realise a [BNF] tells you how, but leaves you n.f.i what is going to happen with a particular grammer.
2
3 Anyhow, I'm going to try and explain the access controls __I__ use (which I think covers most of the more advanced features).
4
5 Some points to note before we start (for good luck):
6 # Order of access's matters. openldap will stop looking on the first one that matches
7 # Order of by's matters. openldap will stop looking on the first one that matches
8
9 So this is the config I use:
10 access to attribute=userPassword
11 by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write
12 by dnattr=owner write
13 by anonymous auth
14 by self write
15 by * none
16
17 access to dn=".*,ou=Domains,$BASEDN"
18 by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write
19 by dnattr=owner write
20 by * read
21
22 access to *
23 by group/groupOfUniqueNames/uniqueMember="ou=!AdminUsers,ou=Accounts,$BASEDN" write
24 by * read
25
26 Now, lets go over it step by step.
27
28 The first ''access'' is used to protect the ''userPassword'' attribute, which stores passwords.
29 access to attribute=userPassword
30 So, this matches anything which has a "userPassword" attribute anywhere in the tree. Simple enough.
31
32 by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write
33 This matches the DN of the person doing the accessing against the uniquemember attribute of groupofuniquenames in the ou=!AdminUsers,ou=Accounts,$BASEDN object and gives them write access.
34
35 This is somewhat confusing so lets go over this again. cn=alice,ou=Accounts,$BASEDN wants to modify cn=bob,ou=Accounts,$BASEDN's foo attribute. This looks up the "uniquemember" attribute on ou=!AdminUsers,ou=Accounts,$BASEDN and checks to see if cn=alice,ou=Accounts,$BASEDN is there, and, if so, lets her modify cn=bob,ou=Accounts,$BASEDN's object.
36
37 For reference the ou=!AdminUsers,ou=Accounts,$BASEDN object looks like:
38 dn: ou=!AdminUsers,ou=Accounts,$BASEDN
39 objectClass: top
40 objectClass: groupOfUniqueNames
41 ou: !AdminUsers
42 uniqueMember: cn=alice,ou=Accounts,$BASEDN
43 uniqueMember: cn=James Curtis,ou=Accounts,$BASEDN
44 uniqueMember: cn=Perry Lorier,ou=Accounts,$BASEDN
45 Adding/Removing people from the uniqueMember relation will grant/revoke their access.
7 AndreasRother 46
6 PerryLorier 47 by dnattr=owner write
48 This checks to see if the user doing the access appears in the "owner" attribute of the object being modified. For instance, if cn=charlie,ou=Accounts,$BASEDN wanted to access cn=bob,ou=Accounts,$BASEDN's foo attribute, then this sould check to see if cn=charlie,ou=Accounts,$BASEDN appeared in cn=bob,ou=Accounts,$BASEDN's owner attribute first.
49
50 by anonymous auth
51 This lets the anonymous user (a user who hasn't yet logged in) authenticate using the password, but they can't read or write it.
52
53 by self write
54 This lets the user who matches the dn of the object write to the object. For instance if cn=bob,ou=Accounts,$BASEDN wanted to change his password he could (since the object he is accessing is the object he is coming from).
55
56 by * none
57 Noone else must be able to read, or write the password. Fairly simple really.
58
59 access to dn=".*,ou=Domains,$BASEDN"
60 Right, onto the next access. This matches everything under the domains subtree. Note the use of a regex(7)
61
62 by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write
63 Once again, anyone in the !AdminUsers group can modify this tree.
64
65 by dnattr=owner write
66 And, the person that owns this object can modify it.
67
68 by * read
69 And, by default anyone can read this.
70
71 access to *
72 Now, for everything else in the tree (a catchall). Note that this is just "*", it doesn't have to be ".*"
73
74 by group/groupOfUniqueNames/uniqueMember="ou=!AdminUsers,ou=Accounts,$BASEDN" write
75 Admins can write, because admins are power tripping egomaniacs with something to prove.
76
77 by * read
78 And everyone else can look but not touch, you never know when some user is going to accidently destroy your entire tree, so you'd rather not give them the opertunity.

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach()