You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2020/05/23 19:28:24 UTC
[directory-fortress-core] branch master updated: fix acls
This is an automated email from the ASF dual-hosted git repository.
smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-fortress-core.git
The following commit(s) were added to refs/heads/master by this push:
new 6615fb0 fix acls
6615fb0 is described below
commit 6615fb002d404d0258f65fdc049d6fc075078075
Author: Shawn McKinney <sm...@symas.com>
AuthorDate: Sat May 23 14:28:08 2020 -0500
fix acls
---
.../openldap-for-apache-fortress-tests/slapd.conf | 82 ++++++++++------------
1 file changed, 38 insertions(+), 44 deletions(-)
diff --git a/src/docker/openldap-for-apache-fortress-tests/slapd.conf b/src/docker/openldap-for-apache-fortress-tests/slapd.conf
index bbbfed4..9348a0c 100644
--- a/src/docker/openldap-for-apache-fortress-tests/slapd.conf
+++ b/src/docker/openldap-for-apache-fortress-tests/slapd.conf
@@ -47,52 +47,13 @@ moduleload accesslog.la
moduleload dds.la
moduleload back_monitor.la
-# ACLS:
-access to dn.base=""
-by * read
+# Global ACLS:
+# RootDSE is always readable
+access to dn.base="" by * read
-# LDAPv3 Schema
+# For tooling:
access to dn.base="cn=subschema"
-by * read
-
-# Internal OpenLDAP config backend
-access to dn.subtree="cn=config"
-by * none
-
-# Monitor backend
-access to dn.subtree="cn=monitor"
-by dn.base="cn=Manager,dc=example,dc=com" write
-by users read
-
-# Generic overall privilege
-access to *
-by anonymous auth
-by dn.base="cn=Manager,dc=example,dc=com" manage
-by * break
-
-# Password should be protected, allow user to modify their own audit attributes.
-access to attrs=userPassword,ftModifier,ftModCode,ftModId
-by self =wx
-by * none
-
-# Self-readable password policy info
-access to attrs=pwdFailureTime,pwdChangedTime,pwdGraceUseTime,pwdReset,pwdPolicySubentry
-by self read
-by * none
-
-# Admin-only password policy info
-access to attrs=pwdAccountLockedTime,pwdHistory
-by * none
-
-# Users may read their own attributes
-access to attrs=@inetorgperson
-by users read
-by * none
-
-access to attrs=@shadowAccount
-by * none
-
-access to * by users read
+ by * read
password-hash {SSHA}
@@ -112,6 +73,12 @@ access to *
dbnosync
checkpoint 64 5
+# Accesslog is readable by replicator and fortress:
+access to dn.subtree="cn=log"
+ by dn.exact="cn=replicator,dc=admin,dc=example,dc=com" read
+ by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" read
+ by * break
+
#######################################################################
# Default DB Settings
#######################################################################
@@ -125,6 +92,7 @@ rootpw "{SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU"
index uidNumber,gidNumber,objectclass eq
index cn,sn,ftObjNm,ftOpNm,ftRoleName,uid,ou eq,sub
index ftId,ftPermName,ftRoles,ftUsers,ftRA,ftARA eq
+index roleOccupant eq
directory "/var/lib/ldap/dflt"
overlay accesslog
@@ -132,6 +100,32 @@ logdb "cn=log"
dbnosync
checkpoint 64 5
+# The fortress admin needs write access to the whole DIT
+access to dn.subtree="dc=example,dc=com"
+ by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" write
+ by * break
+
+# Accesslog is readable by replicator and fortress:
+access to dn.subtree="cn=log"
+ by dn.exact="cn=replicator,dc=admin,dc=example,dc=com" read
+ by dn.exact="cn=fortress-admin,dc=admin,dc=example,dc=com" read
+ by * break
+
+# Allow anonymous ability to bind:
+access to dn.subtree="dc=example,dc=com" attrs=userPassword
+ by anonymous auth
+ by * break
+
+# For audit trail:
+# Allow users access to modify their own pw & fortress audit attrs.
+access to dn.subtree="dc=example,dc=com" attrs=userPassword,ftModifier,ftModCode,ftModId
+ by self =wx
+ by * none
+
+# Allow users compare access to a fortress perm op name:
+access to dn.subtree="dc=example,dc=com" attrs=ftOpNm
+ by users compare
+
#######################################################################
# Audit Log Settings
#######################################################################