(RADIATOR) Sample Radiator access rules for OpenLDAP

Karl O. Pinc kop at meme.com
Tue Jul 20 20:48:01 CDT 2004 

FYI,

Here's a working (sub)set of access rules for OpenLDAP's
slapd.conf file to ensure that the minimum amount of
information is exposed via LDAP.

I haven't tried it out in this truncated and abbreviated
form, but it worked until I started deleting stuff for this
example.

The background is:

Radiator configured to:
AuthDN       cn=radiator,ou=service,dc=example,dc=com
PasswordAttr userPassword
SearchFilter (&(uid=%1)(useWireless=TRUE))

Notice that our entries have an attribute useWireless,
as Radiator is authenticating for wireless, and we've
configured a search filter for that.

Notice this requires a ou=service,dc=example,dc=com ldap
entry and a cn=radiator,ou=service,dc=example,dc=com entry
like:

dn: ou=Service,dc=example,dc=com
ou: Service
objectClass: organizationalUnit
objectClass: top

dn: cn=radiator,ou=Service,dc=example,dc=com
userPassword:: ...
objectClass: applicationProcess
objectClass: simpleSecurityObject
objectClass: top
description:: ...
cn: radiator


Here's the slapd.conf file.  Note the use of the "by * + break" 
construct,
which means "don't stop here just because you saw an attribute you
recognized, but keep going until you find a 'by dn' you recognise too'.
Without the "by * + break" OpenLDAP access rules are either extremely
simple or, IMO, totally incomprehensible.

See: 
http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control

# Order of access controls is very important!  First "access ..." match 
wins!
# Without a <control> after the <who>, it's only <what> that determines
# the match.

# As many of the 2.1 rules use the "by * + break" construct it might
# be possible to enhance performance by re-ordering the rules so that
# the most common matches are done early, but care is in (*ahem*) order.


#
# Control access to the Service branch of the ldap database.
#
access to dn.subtree=ou=Service,dc=example,dc=com
        by dn.exact="uid=joesysadm,ou=People,dc=example,dc=com" write
        by dn.exact="uid=jrsysadm,ou=People,dc=example,dc=com" read
        by anonymous auth


# What the different services have access to.

# Radiator

access to dn.subtree="ou=People,dc=example,dc=com"
        attrs=entry,userPassword
        by dn.exact="cn=radiator,ou=Service,dc=example,dc=com" read
        by * + break
access to dn.subtree="ou=People,dc=example,dc=com"
        attrs=uid,useWireless
        by dn.exact="cn=radiator,ou=Service,dc=example,dc=com" search
        by * + break
access to dn.subtree="ou=People,dc=example,dc=com"
        by dn.exact="cn=radiator,ou=Service,dc=example,dc=com" none
        by * + break

# More services ...

#
#
# Access by 'maintainers': godlike folk, and the user himself
#
#
#

# Password changeers
access to dn.subtree="ou=People,dc=example,dc=com"
        attrs=userpassword,shadowLastChange,entry
        by dn.exact="uid=joesysadm,ou=People,dc=example,dc=com" write
        by dn.exact="uid=jrsysadm,ou=People,dc=example,dc=com" write
        by self write
        by * + break

# The true sysadm can chagge anything.
access to dn.subtree="ou=People,dc=example,dc=com"
        
attrs=loginShell,shadowMin,shadowMax,shadowWarning,shadowInactive,shadow\Expire,shadowFlag
        by dn.exact="uid=joesysadm,ou=People,dc=example,dc=com" write
        by dn.exact="uid=jrsysadm,ou=People,dc=example,dc=com" read
        by self write
        by * + break

#
# Defaults for the People subtree.
#

# Nobody else can get to the shadow atributes or the shell.
access to dn.subtree="ou=People,dc=example,dc=com"
        
attrs=loginShell,shadowLastChange,shadowMin,shadowMax,shadowWarning,shad\owInactive,shadowExpire,shadowFlag
	by * none

# Nobody can get to other people's 'sensitive' info.
# (really, we did birthdate for self already above)
access to dn.subtree="ou=People,dc=example,dc=com"
        attrs=someofyourpersonalinfo
        by self read
        by * none


# Allow people to authenticate.
access to dn.subtree="ou=People,dc=example,dc=com" attrs=userpassword
        by * auth

# Anybody bound can read the rest of the People tree attributes, but
# anonymous users can only use them to authenticate.
access to dn.subtree=ou=People,dc=example,dc=com
        by anonymous auth
        by * read


For those interested, here's the schema for useWireless:


# For explanation of the SYNTAX see RFC 2252 # sections 4.3.2 and 6, 
also see RFC 2252 for
# EQUALITY, ORDERING, SUBSTR etc. See
# http://www.alvestrand.no/objectid/top.html
# for general oid number lookup.

# See also: http://www.iana.org/assignments/enterprise-numbers
# For how to get your own oid namespace see:
# http://www.iana.org/cgi-bin/enterprise.pl

              # User can use wireless when present and true.

              attributetype ( 1.3.6.1.4.1.<example>.1.13
                       NAME 'useWireless'
                       DESC 'Accept password for wireless Internet 
access
                             when present and true'
                       EQUALITY booleanMatch
                       SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )



objectClass     ( 1.3.6.1.4.1.<example>.2.1
                   NAME 'examplePerson'
                   DESC 'X-Person'
                   SUP inetOrgPerson
                   STRUCTURAL
                   MAY  (  useWireless )
                       )


Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list