directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <>
Subject [jira] [Commented] (FC-264) Improve ACL in slapd test
Date Fri, 01 Mar 2019 13:59:00 GMT


Shawn McKinney commented on FC-264:

The rationale for this change:

Make the directory system special purpose for fortress usage. This means only service accounts,
i.e. fortress-admin, have ability to view and update data. Users are given just enough access
to bind and change password, and fields needed for auditing. The directory and its data is
locked down to the maximum. 

 Changed ACL's to the following. 

1. The RootDSE must always readable:
access to dn.base="" by * read

2. The fortress admin (think service account) needs write access to the whole DIT
access to dn.subtree="@SUFFIX@"
 by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" write
 by * break

3.  Accesslog is readable by replicator and fortress:
access to dn.subtree="@LOG_SUFFIX@"
 by dn.exact="cn=replicator,dc=admin,@SUFFIX@" read
 by dn.exact="cn=fortress-admin,dc=admin,@SUFFIX@" read
 by * break

4. For tooling:
access to dn.base="cn=subschema"
 by * read

5. Allow anonymous ability to bind:
access to dn.subtree="@SUFFIX@"
 by anonymous auth
 by * break

6. For audit trail:
a. Allow user to modify their own audit attributes.
access to attrs=userPassword,ftModifier,ftModCode,ftModId
 by self =wx
 by * none

b. Allow users compare access to permission tree:
access to dn.subtree="ou=Permissions,ou=RBAC,dc=example,dc=com"
 by users compare



> Improve ACL in slapd test
> -------------------------
>                 Key: FC-264
>                 URL:
>             Project: FORTRESS
>          Issue Type: Improvement
>    Affects Versions: 2.0.3
>            Reporter: Shawn McKinney
>            Assignee: Shawn McKinney
>            Priority: Major
>             Fix For: 2.0.4
> The ACL's in the slapd.conf test harness are in need of improvement.  Configure test
instance to prevent all but privileged users access to entries.  Users are allowed mod of
their password and audit attributes because those operations are performed under user's rights.

This message was sent by Atlassian JIRA

View raw message