Am Sonntag, 17. Mai 2015 17:25 CEST, Dieter Klünter dieter@dkluenter.de schrieb:
Am Sat, 16 May 2015 16:39:47 -0400 schrieb Brendan Kearney bpk678@gmail.com:
i am looking to improve my access controls, and wanted to make sure the below passes muster and sanely implements what i am looking for.
0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none
1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none
?
you should test your acl's with slapacl(8)
Tests will never be a substitute for a good reasoning about code. To write/perform good test one needs to understand the code ....
The OPs "example" is way to big way too big for a ML-question. Such auditing really is (paid) work. But just as a remark (and starting point for the OP):
0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none
1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none
Question 1: what entry will _not_ match the first rule? Answer: no entry (because of the "by *").
Question 2: What entries will hit rule 2 Answer: no entry. Since anything matching 'to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"' will also match 'to dn.subtree="dc=bpk2,dc=com" and will be handled in that rule.
You really need to get the order of your rules right (and make use of "pass" ...)
HTH Ralf Mattes