1,106
edits
Technician (talk | contribs) No edit summary |
Technician (talk | contribs) |
||
Line 74: | Line 74: | ||
=== Attribute permissions === | === Attribute permissions === | ||
We want | We want to make the following changes to the default LDAP permissions: | ||
* Members should be able to change their own display name (<code>sn</code>) and e-mail address (<code>mail</code>). | |||
* The read-only user should be able to find users via the combination of their username and recovery mail address (<code>fwRecoveryMail</code>), but not actually see their recovery mail addresses. (The password reset mechanism uses this.) | |||
* Members should not be able to see who a member was added by (the <code>manager</code> field). | |||
The following LDIF statement may be passed to 'ldapmodify' to make the necessary access control changes: | |||
# Modification to be made via 'ldapmodify' | # Modification to be made via 'ldapmodify' | ||
Line 82: | Line 88: | ||
olcAccess: {2}to attrs=sn,mail by self write | olcAccess: {2}to attrs=sn,mail by self write | ||
olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search | olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search | ||
olcAccess: {4}to attrs=manager by self read | |||
- | - | ||
Note that <code>olcAccess</code> entries are evaluated in order, and the first match takes effect. This can affect performance. In the statement above, we start inserting entries from index 2, because indexes 0 and 1 already have some meaningful default entries. | |||
=== Password hashing === | === Password hashing === |