Diferència entre revisions de la pàgina «Problema ldap acl»
| Línia 1: | Línia 1: | ||
==== Valors per defecte de les ACL de LDAP ==== | ==== Valors per defecte de les ACL de LDAP ==== | ||
| − | + | ||
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none | olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none | ||
| + | |||
olcAccess: {1}to dn.base="" by * read | olcAccess: {1}to dn.base="" by * read | ||
| + | |||
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read | olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read | ||
| − | + | ||
==== Què volem aconseguir? ==== | ==== Què volem aconseguir? ==== | ||
| Línia 12: | Línia 14: | ||
===== Aproximació 1 ===== | ===== Aproximació 1 ===== | ||
| − | + | ||
olcAccess: {0}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read | olcAccess: {0}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read | ||
| + | |||
olcAccess: {1}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read | olcAccess: {1}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read | ||
| + | |||
olcAccess: {2}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read | olcAccess: {2}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read | ||
| + | |||
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none | olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none | ||
| + | |||
olcAccess: {4}to dn.base="" by * read | olcAccess: {4}to dn.base="" by * read | ||
| + | |||
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read | olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read | ||
| − | + | ||
El problema d'aquesta és que cada condició 0, 1, 2, degut al "by * read" donam accés a les contrasenyes a tothom | El problema d'aquesta és que cada condició 0, 1, 2, degut al "by * read" donam accés a les contrasenyes a tothom | ||
===== Aproximació 2 ===== | ===== Aproximació 2 ===== | ||
| − | + | ||
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none | olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none | ||
| + | |||
olcAccess: {1}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read | olcAccess: {1}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read | ||
| + | |||
olcAccess: {2}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read | olcAccess: {2}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read | ||
| + | |||
olcAccess: {3}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read | olcAccess: {3}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read | ||
| + | |||
olcAccess: {4}to dn.base="" by * read | olcAccess: {4}to dn.base="" by * read | ||
| + | |||
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read | olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read | ||
| − | + | ||
El problema d'aquesta és que cada administrador del sub-arbre no té accés a les seves contrasenyes | El problema d'aquesta és que cada administrador del sub-arbre no té accés a les seves contrasenyes | ||
Revisió del 16:49, 4 set 2012
Valors per defecte de les ACL de LDAP
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read
Què volem aconseguir?
Que diferents administradors tenguin accés a cada sub-arbre corresponent, i no donar accés a altres usuaris a les contrasenyes
Aproximació 1
olcAccess: {0}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read
olcAccess: {1}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read
olcAccess: {2}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none
olcAccess: {4}to dn.base="" by * read
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read
El problema d'aquesta és que cada condició 0, 1, 2, degut al "by * read" donam accés a les contrasenyes a tothom
Aproximació 2
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none
olcAccess: {1}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read
olcAccess: {2}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read
olcAccess: {3}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read
olcAccess: {4}to dn.base="" by * read
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read
El problema d'aquesta és que cada administrador del sub-arbre no té accés a les seves contrasenyes