martin: doc/architecture server.sgml,1.11,1.12

cvs at intevation.de cvs at intevation.de
Tue Apr 13 04:24:54 CEST 2004


Author: martin

Update of /kolabrepository/doc/architecture
In directory doto:/tmp/cvs-serv23742

Modified Files:
	server.sgml 
Log Message:
Martin K.: LDAP Access control lists


Index: server.sgml
===================================================================
RCS file: /kolabrepository/doc/architecture/server.sgml,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- server.sgml	13 Apr 2004 02:11:28 -0000	1.11
+++ server.sgml	13 Apr 2004 02:24:51 -0000	1.12
@@ -58,7 +58,9 @@
 index   alias           eq
 </programlisting>
 </para>
+</sect2>
 
+	
 <sect2><title> Top Level LDAP Structure </title>
 <para> It is difficult to find a commonly accepted LDAP scheme. 
 It seems, most real life LDAP installations go for the domain oriented apporach
@@ -558,6 +560,101 @@
 </para>
 </sect2>
 
+<sect2><title>LDAP Access Control Lists</title>
+<para>Access to individual attributes or objects is controlled via static 
+LDAP access control lists. LDAP ACLs are not meant to be changed on a daily basis as
+editing them requires a server restart.
+</para>
+<para> 
+In order to still remain flexible the OpenLDAP server allows for regular expressions in access control lists.
+</para>
+<para>
+In the following program listing we used
+the machine name <filename>kepler</filename>. 
+</para>
+<para>
+In general please beware of parsing issues with the OpenLDAP implementation. Unfortunately we encountered multiple
+times unexpected results due to parsing issues which did <emphasis>not</emphasis> result in error messages or warnings.
+</para>
+<para>
+<programlisting>
+
+access to attr=userPassword
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+        by self write
+        by anonymous auth
+        by * none stop
+
+access to attr=mail
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+       by * read stop
+
+access to attr=alias
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+        by * read stop
+
+access to attr=uid
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+        by * read stop
+
+access to dn="cn=nobody,dc=kepler"
+        by anonymous auth stop
+
+access to dn="cn=manager,dc=kepler"
+        by dn="cn=nobody,dc=kepler" read
+        by self write
+        by anonymous auth stop
+
+access to dn="cn=admin,dc=kepler"
+        by group="cn=admin,dc=kepler" write
+        by dn="cn=nobody,dc=kepler" read
+        by self write
+        by anonymous auth stop
+
+access to dn="cn=maintainer,dc=kepler"
+        by group="cn=admin,dc=kepler" write
+        by dn="cn=nobody,dc=kepler" read
+        by self write
+        by anonymous auth stop
+
+access to dn.regex="(.*,)?cn=internal,dc=kepler"
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+        by self write
+        by dn="cn=nobody,dc=kepler" read
+        by anonymous auth stop
+
+access to dn.regex="(.*,)?cn=external,dc=kepler"
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+        by * read stop
+
+access to dn="cn=external,dc=kepler"
+        by dn="cn=nobody,dc=kepler" read
+        by * search stop
+
+access to dn="cn=internal,dc=kepler"
+        by dn="cn=nobody,dc=kepler" read
+        by * search stop
+
+access to dn="k=kolab,dc=kepler"
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" read
+        by dn="cn=nobody,dc=kepler" read
+        by * none stop
+
+access to *
+        by self write
+        by group="cn=admin,dc=kepler" write
+        by group="cn=maintainer,dc=kepler" write
+        by * read stop
+</programlisting>
+</para>
+</sect2>
 
 <sect2><title> LDAP Business Card </title>
 <para>The attributes of an user entry (normal and priviledged users) are 
@@ -584,8 +681,9 @@
 	c:
 	telephoneNumber:
 	facsimileTelephoneNumber:
-</programlisting></para>
-<para>Further entries can be easily added to the structure as the project advances and
+</programlisting>
+</para>
+<para>Further attributes can be easily added to the object class as the project advances and
  other requirements are identified.</para>
 </sect2>
 </sect1>





More information about the commits mailing list