martin: doc/architecture server.sgml,1.11,1.12
cvs at intevation.de
cvs at intevation.de
Tue Apr 13 04:24:54 CEST 2004
Author: martin
Update of /kolabrepository/doc/architecture
In directory doto:/tmp/cvs-serv23742
Modified Files:
server.sgml
Log Message:
Martin K.: LDAP Access control lists
Index: server.sgml
===================================================================
RCS file: /kolabrepository/doc/architecture/server.sgml,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- server.sgml 13 Apr 2004 02:11:28 -0000 1.11
+++ server.sgml 13 Apr 2004 02:24:51 -0000 1.12
@@ -58,7 +58,9 @@
index alias eq
</programlisting>
</para>
+</sect2>
+
<sect2><title> Top Level LDAP Structure </title>
<para> It is difficult to find a commonly accepted LDAP scheme.
It seems, most real life LDAP installations go for the domain oriented apporach
@@ -558,6 +560,101 @@
</para>
</sect2>
+<sect2><title>LDAP Access Control Lists</title>
+<para>Access to individual attributes or objects is controlled via static
+LDAP access control lists. LDAP ACLs are not meant to be changed on a daily basis as
+editing them requires a server restart.
+</para>
+<para>
+In order to still remain flexible the OpenLDAP server allows for regular expressions in access control lists.
+</para>
+<para>
+In the following program listing we used
+the machine name <filename>kepler</filename>.
+</para>
+<para>
+In general please beware of parsing issues with the OpenLDAP implementation. Unfortunately we encountered multiple
+times unexpected results due to parsing issues which did <emphasis>not</emphasis> result in error messages or warnings.
+</para>
+<para>
+<programlisting>
+
+access to attr=userPassword
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by self write
+ by anonymous auth
+ by * none stop
+
+access to attr=mail
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by * read stop
+
+access to attr=alias
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by * read stop
+
+access to attr=uid
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by * read stop
+
+access to dn="cn=nobody,dc=kepler"
+ by anonymous auth stop
+
+access to dn="cn=manager,dc=kepler"
+ by dn="cn=nobody,dc=kepler" read
+ by self write
+ by anonymous auth stop
+
+access to dn="cn=admin,dc=kepler"
+ by group="cn=admin,dc=kepler" write
+ by dn="cn=nobody,dc=kepler" read
+ by self write
+ by anonymous auth stop
+
+access to dn="cn=maintainer,dc=kepler"
+ by group="cn=admin,dc=kepler" write
+ by dn="cn=nobody,dc=kepler" read
+ by self write
+ by anonymous auth stop
+
+access to dn.regex="(.*,)?cn=internal,dc=kepler"
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by self write
+ by dn="cn=nobody,dc=kepler" read
+ by anonymous auth stop
+
+access to dn.regex="(.*,)?cn=external,dc=kepler"
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by * read stop
+
+access to dn="cn=external,dc=kepler"
+ by dn="cn=nobody,dc=kepler" read
+ by * search stop
+
+access to dn="cn=internal,dc=kepler"
+ by dn="cn=nobody,dc=kepler" read
+ by * search stop
+
+access to dn="k=kolab,dc=kepler"
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" read
+ by dn="cn=nobody,dc=kepler" read
+ by * none stop
+
+access to *
+ by self write
+ by group="cn=admin,dc=kepler" write
+ by group="cn=maintainer,dc=kepler" write
+ by * read stop
+</programlisting>
+</para>
+</sect2>
<sect2><title> LDAP Business Card </title>
<para>The attributes of an user entry (normal and priviledged users) are
@@ -584,8 +681,9 @@
c:
telephoneNumber:
facsimileTelephoneNumber:
-</programlisting></para>
-<para>Further entries can be easily added to the structure as the project advances and
+</programlisting>
+</para>
+<para>Further attributes can be easily added to the object class as the project advances and
other requirements are identified.</para>
</sect2>
</sect1>
More information about the commits
mailing list