FeministWiki:LDAP Schema: Difference between revisions

No edit summary
Line 74: Line 74:
=== Attribute permissions ===
=== Attribute permissions ===


We want members to be able to change some of their own settings without requiring privilege escalation. We also want the read-only user to be able to find users via the combination of their username and recovery mail address (the password reset mechanism uses this) but not actually see recovery mail addresses.  The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes:
We want to make the following changes to the default LDAP permissions:
 
* Members should be able to change their own display name (<code>sn</code>) and e-mail address (<code>mail</code>).
* The read-only user should be able to find users via the combination of their username and recovery mail address (<code>fwRecoveryMail</code>), but not actually see their recovery mail addresses.  (The password reset mechanism uses this.)
* Members should not be able to see who a member was added by (the <code>manager</code> field).
 
The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes:


  # Modification to be made via 'ldapmodify'
  # Modification to be made via 'ldapmodify'
Line 82: Line 88:
  olcAccess: {2}to attrs=sn,mail by self write
  olcAccess: {2}to attrs=sn,mail by self write
  olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
  olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
olcAccess: {4}to attrs=manager by self read
  -
  -
Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect.  This can affect performance.  In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries.


=== Password hashing ===
=== Password hashing ===