| Rev | Author | # | Line |
|---|---|---|---|
| 6 | PerryLorier | 1 | Open Ldap has very flexible and powerful access controls, however they aren't well documented. Sure there is lots of documentation about them, but none of the documentation says anything *useful*. The most useful part of the documentation I found was the [BNF], but as most people soon realise a [BNF] tells you how, but leaves you n.f.i what is going to happen with a particular grammer. |
| 2 | |||
| 3 | Anyhow, I'm going to try and explain the access controls __I__ use (which I think covers most of the more advanced features). | ||
| 4 | |||
| 5 | Some points to note before we start (for good luck): | ||
| 6 | # Order of access's matters. openldap will stop looking on the first one that matches | ||
| 7 | # Order of by's matters. openldap will stop looking on the first one that matches | ||
| 8 | |||
| 9 | So this is the config I use: | ||
| 10 | access to attribute=userPassword | ||
| 11 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
| 12 | by dnattr=owner write | ||
| 13 | by anonymous auth | ||
| 14 | by self write | ||
| 15 | by * none | ||
| 16 | |||
| 17 | access to dn=".*,ou=Domains,$BASEDN" | ||
| 18 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
| 19 | by dnattr=owner write | ||
| 20 | by * read | ||
| 21 | |||
| 22 | access to * | ||
| 23 | by group/groupOfUniqueNames/uniqueMember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
| 24 | by * read | ||
| 25 | |||
| 26 | Now, lets go over it step by step. | ||
| 27 | |||
| 28 | The first ''access'' is used to protect the ''userPassword'' attribute, which stores passwords. | ||
| 29 | access to attribute=userPassword | ||
| 30 | So, this matches anything which has a "userPassword" attribute anywhere in the tree. Simple enough. | ||
| 31 | |||
| 32 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
| 33 | This matches the DN of the person doing the accessing against the uniquemember attribute of groupofuniquenames in the ou=!AdminUsers,ou=Accounts,$BASEDN object and gives them write access. | ||
| 34 | |||
| 35 | This is somewhat confusing so lets go over this again. cn=alice,ou=Accounts,$BASEDN wants to modify cn=bob,ou=Accounts,$BASEDN's foo attribute. This looks up the "uniquemember" attribute on ou=!AdminUsers,ou=Accounts,$BASEDN and checks to see if cn=alice,ou=Accounts,$BASEDN is there, and, if so, lets her modify cn=bob,ou=Accounts,$BASEDN's object. | ||
| 36 | |||
| 37 | For reference the ou=!AdminUsers,ou=Accounts,$BASEDN object looks like: | ||
| 38 | dn: ou=!AdminUsers,ou=Accounts,$BASEDN | ||
| 39 | objectClass: top | ||
| 40 | objectClass: groupOfUniqueNames | ||
| 41 | ou: !AdminUsers | ||
| 42 | uniqueMember: cn=alice,ou=Accounts,$BASEDN | ||
| 43 | uniqueMember: cn=James Curtis,ou=Accounts,$BASEDN | ||
| 44 | uniqueMember: cn=Perry Lorier,ou=Accounts,$BASEDN | ||
| 45 | Adding/Removing people from the uniqueMember relation will grant/revoke their access. | ||
| 7 | AndreasRother | 46 | |
| 6 | PerryLorier | 47 | by dnattr=owner write |
| 48 | This checks to see if the user doing the access appears in the "owner" attribute of the object being modified. For instance, if cn=charlie,ou=Accounts,$BASEDN wanted to access cn=bob,ou=Accounts,$BASEDN's foo attribute, then this sould check to see if cn=charlie,ou=Accounts,$BASEDN appeared in cn=bob,ou=Accounts,$BASEDN's owner attribute first. | ||
| 49 | |||
| 50 | by anonymous auth | ||
| 51 | This lets the anonymous user (a user who hasn't yet logged in) authenticate using the password, but they can't read or write it. | ||
| 52 | |||
| 53 | by self write | ||
| 54 | This lets the user who matches the dn of the object write to the object. For instance if cn=bob,ou=Accounts,$BASEDN wanted to change his password he could (since the object he is accessing is the object he is coming from). | ||
| 55 | |||
| 56 | by * none | ||
| 57 | Noone else must be able to read, or write the password. Fairly simple really. | ||
| 58 | |||
| 59 | access to dn=".*,ou=Domains,$BASEDN" | ||
| 60 | Right, onto the next access. This matches everything under the domains subtree. Note the use of a regex(7) | ||
| 61 | |||
| 62 | by group/groupofuniquenames/uniquemember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
| 63 | Once again, anyone in the !AdminUsers group can modify this tree. | ||
| 64 | |||
| 65 | by dnattr=owner write | ||
| 66 | And, the person that owns this object can modify it. | ||
| 67 | |||
| 68 | by * read | ||
| 69 | And, by default anyone can read this. | ||
| 70 | |||
| 71 | access to * | ||
| 72 | Now, for everything else in the tree (a catchall). Note that this is just "*", it doesn't have to be ".*" | ||
| 73 | |||
| 74 | by group/groupOfUniqueNames/uniqueMember="ou=!AdminUsers,ou=Accounts,$BASEDN" write | ||
| 75 | Admins can write, because admins are power tripping egomaniacs with something to prove. | ||
| 76 | |||
| 77 | by * read | ||
| 78 | And everyone else can look but not touch, you never know when some user is going to accidently destroy your entire tree, so you'd rather not give them the opertunity. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()