Am Sonntag, 17. Mai 2015 17:25 CEST, Dieter Klünter <[email protected]> schrieb:
> Am Sat, 16 May 2015 16:39:47 -0400 > schrieb Brendan Kearney <[email protected]>: > > > i am looking to improve my access controls, and wanted to make sure > > the below passes muster and sanely implements what i am looking for. > > > > 0 - ldap admins get access to the entire directory > > {0}to dn.subtree="dc=bpk2,dc=com" > > by > > group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" > > manage by anonymous auth > > by * none > > > > 1 - kerberos id get only the access they need > > {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" > > by dn="cn=kadmin,dc=bpk2,dc=com" write > > by dn="cn=kdc,dc=bpk2,dc=com" read > > by * none > > ? > > you should test your acl's with slapacl(8) Tests will never be a substitute for a good reasoning about code. To write/perform good test one needs to understand the code .... The OPs "example" is way to big way too big for a ML-question. Such auditing really is (paid) work. But just as a remark (and starting point for the OP): > > 0 - ldap admins get access to the entire directory > > {0}to dn.subtree="dc=bpk2,dc=com" > > by > > group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" > > manage by anonymous auth > > by * none > > > > 1 - kerberos id get only the access they need > > {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" > > by dn="cn=kadmin,dc=bpk2,dc=com" write > > by dn="cn=kdc,dc=bpk2,dc=com" read > > by * none Question 1: what entry will _not_ match the first rule? Answer: no entry (because of the "by *"). Question 2: What entries will hit rule 2 Answer: no entry. Since anything matching 'to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com"' will also match 'to dn.subtree="dc=bpk2,dc=com" and will be handled in that rule. You really need to get the order of your rules right (and make use of "pass" ...) HTH Ralf Mattes
