FeministWiki:LDAP Schema: differenze tra le versioni

    mNessun oggetto della modifica
    Riga 43: Riga 43:
    For security purposes, it's a good idea to have a "read-only" user for LDAP read operations, instead of using the admin for everything.
    For security purposes, it's a good idea to have a "read-only" user for LDAP read operations, instead of using the admin for everything.

      # Addition to be made via 'ldapadd'
      # Add read-only user
    ldapadd -xy ~/pwd/ldap <<EOF
      dn: cn=readonly,dc=feministwiki,dc=org
      dn: cn=readonly,dc=feministwiki,dc=org
      objectClass: simpleSecurityObject
      objectClass: simpleSecurityObject
    Riga 49: Riga 50:
      cn: readonly
      cn: readonly
      description: Read-only user
      description: Read-only user

    No fiddling with access control is needed, since read-only access is the default.
    No fiddling with access control is needed, since read-only access is the default.
    Riga 54: Riga 56:
    === Custom objectClass ===
    === Custom objectClass ===

    The following LDIF statement may be passed to <code>ldapadd</code> to create the <code>fwMember</code> object class.
    The following command creates the <code>fwMember</code> object class.

      # Addition to be made via 'ldapadd'
      ldapadd -Y external -H ldapi:// <<EOF
      dn: cn=feministwiki,cn=schema,cn=config
      dn: cn=feministwiki,cn=schema,cn=config
      objectClass: olcSchemaConfig
      objectClass: olcSchemaConfig
    Riga 71: Riga 73:
         MAY ( fwRecoveryMail ) )
         MAY ( fwRecoveryMail ) )

    === Attribute permissions ===
    === Attribute permissions ===
    Riga 80: Riga 83:
    * Members should not be able to see who a member was added by (the <code>manager</code> field).
    * Members should not be able to see who a member was added by (the <code>manager</code> field).

    The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes:
    The following command makes the necessary access control changes:

      # Modification to be made via 'ldapmodify'
      ldapmodify -Y external -H ldapi:// <<EOF
      dn: olcDatabase={1}mdb,cn=config
      dn: olcDatabase={1}mdb,cn=config
      changetype: modify
      changetype: modify
    Riga 89: Riga 92:
      olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
      olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
      olcAccess: {4}to attrs=manager by self read
      olcAccess: {4}to attrs=manager by self read

    Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect.  This can affect performance.  In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries.
    Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect.  This can affect performance.  In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries.
    Riga 153: Riga 156:
    The <code>lastbind</code> module of OpenLDAP keeps track of when a user last logged in.
    The <code>lastbind</code> module of OpenLDAP keeps track of when a user last logged in.

    Load the module:
    # Load the module
      ldapmodify -Y external -H ldapi:// <<EOF
      # Modification to be made via 'ldapmodify'
      dn: cn=module{0},cn=config
      dn: cn=module{0},cn=config
      changetype: modify
      changetype: modify
      add: olcModuleLoad
      add: olcModuleLoad
      olcModuleLoad: lastbind
      olcModuleLoad: lastbind

    And enable the overlay:
    # Enable the overlay
      ldapadd -Y external -H ldapi:// <<EOF
    # Addition to be made via 'ldapadd'
      dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
      dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
      objectClass: olcLastBindConfig
      objectClass: olcLastBindConfig
      olcOverlay: lastbind
      olcOverlay: lastbind
      olcLastBindPrecision: 60
      olcLastBindPrecision: 60