Problema ldap acl

De Wiki del Nigul
(Diferència entre revisions)
Dreceres ràpides: navegació, cerca
Línia 1: Línia 1:
 
==== Valors per defecte de les ACL de LDAP ====
 
==== Valors per defecte de les ACL de LDAP ====
<pre>
+
 
 
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
 
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
 +
 
olcAccess: {1}to dn.base="" by * read
 
olcAccess: {1}to dn.base="" by * read
 +
 
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read
 
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read
</pre>
+
 
  
 
==== Què volem aconseguir? ====
 
==== Què volem aconseguir? ====
Línia 12: Línia 14:
 
===== Aproximació 1 =====
 
===== Aproximació 1 =====
  
<pre>
+
 
 
olcAccess: {0}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read
 
olcAccess: {0}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read
 +
 
olcAccess: {1}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read
 
olcAccess: {1}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read
 +
 
olcAccess: {2}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read
 
olcAccess: {2}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read
 +
 
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none
 
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none
 +
 
olcAccess: {4}to dn.base="" by * read
 
olcAccess: {4}to dn.base="" by * read
 +
 
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read
 
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read
</pre>
+
 
  
 
El problema d'aquesta és que cada condició 0, 1, 2, degut al "by * read" donam accés a les contrasenyes a tothom
 
El problema d'aquesta és que cada condició 0, 1, 2, degut al "by * read" donam accés a les contrasenyes a tothom
  
 
===== Aproximació 2 =====
 
===== Aproximació 2 =====
<pre>
+
 
 
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none
 
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none
 +
 
olcAccess: {1}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read
 
olcAccess: {1}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read
 +
 
olcAccess: {2}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read
 
olcAccess: {2}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read
 +
 
olcAccess: {3}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read
 
olcAccess: {3}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read
 +
 
olcAccess: {4}to dn.base="" by * read
 
olcAccess: {4}to dn.base="" by * read
 +
 
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read
 
olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read
</pre>
+
 
  
 
El problema d'aquesta és que cada administrador del sub-arbre no té accés a les seves contrasenyes
 
El problema d'aquesta és que cada administrador del sub-arbre no té accés a les seves contrasenyes

Revisió de 15:49, 4 set 2012

Contingut

Valors per defecte de les ACL de LDAP

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none

olcAccess: {1}to dn.base="" by * read

olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by * read


Què volem aconseguir?

Que diferents administradors tenguin accés a cada sub-arbre corresponent, i no donar accés a altres usuaris a les contrasenyes

Aproximació 1

olcAccess: {0}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read

olcAccess: {1}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read

olcAccess: {2}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read

olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none

olcAccess: {4}to dn.base="" by * read

olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read


El problema d'aquesta és que cada condició 0, 1, 2, degut al "by * read" donam accés a les contrasenyes a tothom

Aproximació 2

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=nigul,dc=coop" write by * none

olcAccess: {1}to dn.subtree="ou=gorgblau,dc=nigul,dc=coop" by self write by dn="cn=gorgblau,dc=nigul,dc=coop" write by * read

olcAccess: {2}to dn.subtree="ou=matadejonc,dc=nigul,dc=coop" by self write by dn="cn=matadejonc,dc=nigul,dc=coop" write by * read

olcAccess: {3}to dn.subtree="ou=lledoner,dc=nigul,dc=coop" by self write by dn="cn=lledoner,dc=nigul,dc=coop" write by * read

olcAccess: {4}to dn.base="" by * read

olcAccess: {5}to * by self write by dn="cn=admin,dc=nigul,dc=coop" write by * read


El problema d'aquesta és que cada administrador del sub-arbre no té accés a les seves contrasenyes

Eines de l'usuari
Espais de noms

Variants
Accions
Navegació
Eines
Altres serveis del nigul
Racó tècnic