ACL sanity check

16 May 2015


      i am looking to improve my access controls, and wanted to make sure the 
below passes muster and sanely implements what i am looking for.
0 - ldap admins get access to the entire directory
{0}to dn.subtree="dc=bpk2,dc=com"
         by 
group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage
         by anonymous auth
         by * none
1 - kerberos id get only the access they need
{1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
         by dn="cn=kadmin,dc=bpk2,dc=com" write
         by dn="cn=kdc,dc=bpk2,dc=com" read
         by * none
2 - dns engineers, admins and dns process accounts get access
{2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com"
         by 
group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
manage
         by 
group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write
         by 
group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
write
         by * none
3 - dhcp engineers, admins and dhcp process accounts get access
{3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com"
         by 
group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
manage
         by 
group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write
         by 
group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
read
         by * none
4 - dhcp engineers, admins and dhcp process accounts get access
{4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com"
         by 
group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
manage
         by 
group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write
         by 
group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
read
         by * none
5 - users can read this ou
{5}to dn.subtree="ou=Computers,dc=bpk2,dc=com"
         by users read
         by * none
6 - users can read this ou
{6}to dn.subtree="ou=Groups,dc=bpk2,dc=com"
         by users read
         by * none
7 - users can read this ou
{7}to dn.subtree="ou=Networks,dc=bpk2,dc=com"
         by users read
         by * none
8 - users can read this ou
{8}to dn.subtree="ou=Users,dc=bpk2,dc=com"
         by users read
         by * none
are there any specific ACLs that i should have?  are there any glaring 
issues with the above proposed ACLs?

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

ACL sanity check