[jira] [Commented] (FC-264) Improve ACL in slapd test

Fri, 01 Mar 2019 05:59:19 -0800 


    [ 
https://issues.apache.org/jira/browse/FC-264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16781692#comment-16781692
 ] 

Shawn McKinney commented on FC-264:
-----------------------------------

The rationale for this change:

Make the directory system special purpose for fortress usage. This means only 
service accounts, i.e. fortress-admin, have ability to view and update data. 
Users are given just enough access to bind and change password, and fields 
needed for auditing. The directory and its data is locked down to the maximum. 

 Changed ACL's to the following. 

1. The RootDSE must always readable:
access to dn.base="" by * read

2. The fortress admin (think service account) needs write access to the whole 
DIT
access to dn.subtree="@SUFFIX@"
 by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" write
 by * break

3.  Accesslog is readable by replicator and fortress:
access to dn.subtree="@LOG_SUFFIX@"
 by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read
 by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read
 by * break

4. For tooling:
access to dn.base="cn=subschema"
 by * read

5. Allow anonymous ability to bind:
access to dn.subtree="@SUFFIX@"
 by anonymous auth
 by * break

6. For audit trail:
a. Allow user to modify their own audit attributes.
access to attrs=userPassword,ftModifier,ftModCode,ftModId
 by self =wx
 by * none

b. Allow users compare access to permission tree:
access to dn.subtree="ou=Permissions,ou=RBAC,dc=example,dc=com"
 by users compare

 

 

> Improve ACL in slapd test
> -------------------------
>
>                 Key: FC-264
>                 URL: https://issues.apache.org/jira/browse/FC-264
>             Project: FORTRESS
>          Issue Type: Improvement
>    Affects Versions: 2.0.3
>            Reporter: Shawn McKinney
>            Assignee: Shawn McKinney
>            Priority: Major
>             Fix For: 2.0.4
>
>
> The ACL's in the slapd.conf test harness are in need of improvement.  
> Configure test instance to prevent all but privileged users access to 
> entries.  Users are allowed mod of their password and audit attributes 
> because those operations are performed under user's rights.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to