« FeministWiki:LDAP Schema » : différence entre les versions

m
aucun résumé des modifications
mAucun résumé des modifications
Ligne 43 : Ligne 43 :
For security purposes, it's a good idea to have a "read-only" user for LDAP read operations, instead of using the admin for everything.
For security purposes, it's a good idea to have a "read-only" user for LDAP read operations, instead of using the admin for everything.


  # Addition to be made via 'ldapadd'
  # Add read-only user
ldapadd -xy ~/pwd/ldap <<EOF
  dn: cn=readonly,dc=feministwiki,dc=org
  dn: cn=readonly,dc=feministwiki,dc=org
  objectClass: simpleSecurityObject
  objectClass: simpleSecurityObject
Ligne 49 : Ligne 50 :
  cn: readonly
  cn: readonly
  description: Read-only user
  description: Read-only user
EOF


No fiddling with access control is needed, since read-only access is the default.
No fiddling with access control is needed, since read-only access is the default.
Ligne 54 : Ligne 56 :
=== Custom objectClass ===
=== Custom objectClass ===


The following LDIF statement may be passed to <code>ldapadd</code> to create the <code>fwMember</code> object class.
The following command creates the <code>fwMember</code> object class.


  # Addition to be made via 'ldapadd'
  ldapadd -Y external -H ldapi:// <<EOF
  dn: cn=feministwiki,cn=schema,cn=config
  dn: cn=feministwiki,cn=schema,cn=config
  objectClass: olcSchemaConfig
  objectClass: olcSchemaConfig
Ligne 71 : Ligne 73 :
     STRUCTURAL
     STRUCTURAL
     MAY ( fwRecoveryMail ) )
     MAY ( fwRecoveryMail ) )
EOF


=== Attribute permissions ===
=== Attribute permissions ===
Ligne 80 : Ligne 83 :
* Members should not be able to see who a member was added by (the <code>manager</code> field).
* Members should not be able to see who a member was added by (the <code>manager</code> field).


The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes:
The following command makes the necessary access control changes:


  # Modification to be made via 'ldapmodify'
  ldapmodify -Y external -H ldapi:// <<EOF
  dn: olcDatabase={1}mdb,cn=config
  dn: olcDatabase={1}mdb,cn=config
  changetype: modify
  changetype: modify
Ligne 89 : Ligne 92 :
  olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
  olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
  olcAccess: {4}to attrs=manager by self read
  olcAccess: {4}to attrs=manager by self read
  -
  EOF


Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect.  This can affect performance.  In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries.
Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect.  This can affect performance.  In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries.
Ligne 153 : Ligne 156 :
The <code>lastbind</code> module of OpenLDAP keeps track of when a user last logged in.
The <code>lastbind</code> module of OpenLDAP keeps track of when a user last logged in.


Load the module:
# Load the module
 
  ldapmodify -Y external -H ldapi:// <<EOF
  # Modification to be made via 'ldapmodify'
  dn: cn=module{0},cn=config
  dn: cn=module{0},cn=config
  changetype: modify
  changetype: modify
  add: olcModuleLoad
  add: olcModuleLoad
  olcModuleLoad: lastbind
  olcModuleLoad: lastbind
EOF


And enable the overlay:
# Enable the overlay
   
  ldapadd -Y external -H ldapi:// <<EOF
# Addition to be made via 'ldapadd'
  dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
  dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
  objectClass: olcLastBindConfig
  objectClass: olcLastBindConfig
  olcOverlay: lastbind
  olcOverlay: lastbind
  olcLastBindPrecision: 60
  olcLastBindPrecision: 60
EOF