FeministWiki:LDAP Schema: Difference between revisions
Technician (talk | contribs) |
Technician (talk | contribs) mNo edit summary |
||
| Line 43: | Line 43: | ||
For security purposes, it's a good idea to have a "read-only" user for LDAP read operations, instead of using the admin for everything. | For security purposes, it's a good idea to have a "read-only" user for LDAP read operations, instead of using the admin for everything. | ||
# | # Add read-only user | ||
ldapadd -xy ~/pwd/ldap <<EOF | |||
dn: cn=readonly,dc=feministwiki,dc=org | dn: cn=readonly,dc=feministwiki,dc=org | ||
objectClass: simpleSecurityObject | objectClass: simpleSecurityObject | ||
| Line 49: | Line 50: | ||
cn: readonly | cn: readonly | ||
description: Read-only user | description: Read-only user | ||
EOF | |||
No fiddling with access control is needed, since read-only access is the default. | No fiddling with access control is needed, since read-only access is the default. | ||
| Line 54: | Line 56: | ||
=== Custom objectClass === | === Custom objectClass === | ||
The following | The following command creates the <code>fwMember</code> object class. | ||
ldapadd -Y external -H ldapi:// <<EOF | |||
dn: cn=feministwiki,cn=schema,cn=config | dn: cn=feministwiki,cn=schema,cn=config | ||
objectClass: olcSchemaConfig | objectClass: olcSchemaConfig | ||
| Line 71: | Line 73: | ||
STRUCTURAL | STRUCTURAL | ||
MAY ( fwRecoveryMail ) ) | MAY ( fwRecoveryMail ) ) | ||
EOF | |||
=== Attribute permissions === | === Attribute permissions === | ||
| Line 80: | Line 83: | ||
* Members should not be able to see who a member was added by (the <code>manager</code> field). | * Members should not be able to see who a member was added by (the <code>manager</code> field). | ||
The following | The following command makes the necessary access control changes: | ||
ldapmodify -Y external -H ldapi:// <<EOF | |||
dn: olcDatabase={1}mdb,cn=config | dn: olcDatabase={1}mdb,cn=config | ||
changetype: modify | changetype: modify | ||
| Line 89: | Line 92: | ||
olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search | olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search | ||
olcAccess: {4}to attrs=manager by self read | olcAccess: {4}to attrs=manager by self read | ||
EOF | |||
Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect. This can affect performance. In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries. | Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect. This can affect performance. In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries. | ||
| Line 153: | Line 156: | ||
The <code>lastbind</code> module of OpenLDAP keeps track of when a user last logged in. | The <code>lastbind</code> module of OpenLDAP keeps track of when a user last logged in. | ||
Load the module | # Load the module | ||
ldapmodify -Y external -H ldapi:// <<EOF | |||
dn: cn=module{0},cn=config | dn: cn=module{0},cn=config | ||
changetype: modify | changetype: modify | ||
add: olcModuleLoad | add: olcModuleLoad | ||
olcModuleLoad: lastbind | olcModuleLoad: lastbind | ||
EOF | |||
# Enable the overlay | |||
ldapadd -Y external -H ldapi:// <<EOF | |||
dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config | dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config | ||
objectClass: olcLastBindConfig | objectClass: olcLastBindConfig | ||
olcOverlay: lastbind | olcOverlay: lastbind | ||
olcLastBindPrecision: 60 | olcLastBindPrecision: 60 | ||
EOF | |||