Re: ACL sanity check

17 May 2015


      Am Sat, 16 May 2015 16:39:47 -0400
schrieb Brendan Kearney bpk678@gmail.com:
...
i am looking to improve my access controls, and wanted to make sure
the below passes muster and sanely implements what i am looking for.
0 - ldap admins get access to the entire directory
{0}to dn.subtree="dc=bpk2,dc=com"
         by 
group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
manage by anonymous auth
         by * none
1 - kerberos id get only the access they need
{1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"
         by dn="cn=kadmin,dc=bpk2,dc=com" write
         by dn="cn=kdc,dc=bpk2,dc=com" read
         by * none
2 - dns engineers, admins and dns process accounts get access
{2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com"
         by 
group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
manage
         by 
group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
write by 
group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
write
         by * none
3 - dhcp engineers, admins and dhcp process accounts get access
{3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com"
         by 
group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
manage
         by 
group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
write by 
group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
read
         by * none
4 - dhcp engineers, admins and dhcp process accounts get access
{4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com"
         by 
group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" 
manage
         by 
group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com"
write by 
group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" 
read
         by * none
5 - users can read this ou
{5}to dn.subtree="ou=Computers,dc=bpk2,dc=com"
         by users read
         by * none
6 - users can read this ou
{6}to dn.subtree="ou=Groups,dc=bpk2,dc=com"
         by users read
         by * none
7 - users can read this ou
{7}to dn.subtree="ou=Networks,dc=bpk2,dc=com"
         by users read
         by * none
8 - users can read this ou
{8}to dn.subtree="ou=Users,dc=bpk2,dc=com"
         by users read
         by * none
are there any specific ACLs that i should have?  are there any
glaring issues with the above proposed ACLs?
you should test your acl's with slapacl(8)
-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: ACL sanity check