directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [directory-fortress-core] branch master updated: FC-264 - Improve ACL in slapd test
Date Fri, 01 Mar 2019 15:21:37 GMT
This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-fortress-core.git


The following commit(s) were added to refs/heads/master by this push:
     new a85772d  FC-264 - Improve ACL in slapd test
a85772d is described below

commit a85772d512b8a04fc3e4a658feb3f88b3aa58675
Author: Shawn McKinney <smckinney@apache.org>
AuthorDate: Fri Mar 1 09:21:34 2019 -0600

    FC-264 - Improve ACL in slapd test
---
 ldap/slapd.conf.src | 57 +++++++++++++++++++++--------------------------------
 1 file changed, 22 insertions(+), 35 deletions(-)

diff --git a/ldap/slapd.conf.src b/ldap/slapd.conf.src
index 63c55f4..3965d09 100755
--- a/ldap/slapd.conf.src
+++ b/ldap/slapd.conf.src
@@ -53,51 +53,38 @@ moduleload  accesslog.la
 @MONITOR_MODULE@
 
 # ACLS:
-access to dn.base=""
-  by * read
+# RootDSE is always readable
+access to dn.base="" by * read
 
-# LDAPv3 Schema
-access to dn.base="cn=subschema"
-  by * read
+# The fortress admin needs write access to the whole DIT
+access to dn.subtree="@SUFFIX@"
+        by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" write
+        by * break
 
-# Internal OpenLDAP config backend
-access to dn.subtree="cn=config"
-  by * none
+# Accesslog is readable by replicator and fortress:
+access to dn.subtree="@LOG_SUFFIX@"
+        by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read
+        by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read
+        by * break
 
-# Monitor backend
-@IS_RBAC_ACCELERATOR@access to dn.subtree="cn=monitor"
-@IS_RBAC_ACCELERATOR@  by dn.base="@ROOT_DN@" write
-@IS_RBAC_ACCELERATOR@  by users read
+# For tooling:
+access to dn.base="cn=subschema"
+  by * read
 
-# Generic overall privilege
-access to *
+# Allow anonymous ability to bind:
+access to dn.subtree="@SUFFIX@" attrs=userPassword
   by anonymous auth
-  by dn.base="@ROOT_DN@" manage
   by * break
 
-# Password should be protected, allow user to modify their own audit attributes.
-access to attrs=userPassword,ftModifier,ftModCode,ftModId
+# For audit trail:
+# Allow users access to modify their own pw & fortress audit attrs.
+access to dn.subtree="@SUFFIX@" attrs=userPassword,ftModifier,ftModCode,ftModId
   by self =wx
   by * none
 
-# Self-readable password policy info
-access to attrs=pwdFailureTime,pwdChangedTime,pwdGraceUseTime,pwdReset,pwdPolicySubentry
-  by self read
-  by * none
-
-# Admin-only password policy info
-access to attrs=pwdAccountLockedTime,pwdHistory
-  by * none
-
-# Users may read their own attributes
-access to attrs=@inetorgperson
-  by users read
-  by * none
-
-access to attrs=@shadowAccount
-  by * none
-
-access to * by users read
+# Allow users compare access to a fortress perm op name:
+access to dn.subtree="@SUFFIX@" attrs=ftOpNm
+  by users compare
 
 password-hash {SSHA}
 


Mime
View raw message