i am looking to improve my access controls, and wanted to make sure the below passes muster and sanely implements what i am looking for.
0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none
1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none
2 - dns engineers, admins and dns process accounts get access {2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" write by * none
3 - dhcp engineers, admins and dhcp process accounts get access {3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" read by * none
4 - dhcp engineers, admins and dhcp process accounts get access {4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" read by * none
5 - users can read this ou {5}to dn.subtree="ou=Computers,dc=bpk2,dc=com" by users read by * none
6 - users can read this ou {6}to dn.subtree="ou=Groups,dc=bpk2,dc=com" by users read by * none
7 - users can read this ou {7}to dn.subtree="ou=Networks,dc=bpk2,dc=com" by users read by * none
8 - users can read this ou {8}to dn.subtree="ou=Users,dc=bpk2,dc=com" by users read by * none
are there any specific ACLs that i should have? are there any glaring issues with the above proposed ACLs?
Am Sat, 16 May 2015 16:39:47 -0400 schrieb Brendan Kearney bpk678@gmail.com:
i am looking to improve my access controls, and wanted to make sure the below passes muster and sanely implements what i am looking for.
0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none
1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none
2 - dns engineers, admins and dns process accounts get access {2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" write by * none
3 - dhcp engineers, admins and dhcp process accounts get access {3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" read by * none
4 - dhcp engineers, admins and dhcp process accounts get access {4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" read by * none
5 - users can read this ou {5}to dn.subtree="ou=Computers,dc=bpk2,dc=com" by users read by * none
6 - users can read this ou {6}to dn.subtree="ou=Groups,dc=bpk2,dc=com" by users read by * none
7 - users can read this ou {7}to dn.subtree="ou=Networks,dc=bpk2,dc=com" by users read by * none
8 - users can read this ou {8}to dn.subtree="ou=Users,dc=bpk2,dc=com" by users read by * none
are there any specific ACLs that i should have? are there any glaring issues with the above proposed ACLs?
you should test your acl's with slapacl(8)
-Dieter
Am Sonntag, 17. Mai 2015 17:25 CEST, Dieter Klünter dieter@dkluenter.de schrieb:
Am Sat, 16 May 2015 16:39:47 -0400 schrieb Brendan Kearney bpk678@gmail.com:
i am looking to improve my access controls, and wanted to make sure the below passes muster and sanely implements what i am looking for.
0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none
1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none
?
you should test your acl's with slapacl(8)
Tests will never be a substitute for a good reasoning about code. To write/perform good test one needs to understand the code ....
The OPs "example" is way to big way too big for a ML-question. Such auditing really is (paid) work. But just as a remark (and starting point for the OP):
0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none
1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none
Question 1: what entry will _not_ match the first rule? Answer: no entry (because of the "by *").
Question 2: What entries will hit rule 2 Answer: no entry. Since anything matching 'to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"' will also match 'to dn.subtree="dc=bpk2,dc=com" and will be handled in that rule.
You really need to get the order of your rules right (and make use of "pass" ...)
HTH Ralf Mattes
openldap-technical@openldap.org
-
Brendan Kearney -
Dieter Klünter -
Ralf Mattes