Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   ACI help (http://www.linux-archive.org/fedora-directory/150520-aci-help.html)

Craig White 08-28-2008 08:53 PM

ACI help
 
I have users personal address books as an ou under their accounts...

ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com

but when I try to add an entry, I am blocked...

[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
nentries=0 etime=0

I need an ACi that allows each uid account to read/write entries in OU's
under their own accounts and the only ACi's I have are the ones
inherited

Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Craig White 08-31-2008 07:00 PM

ACI help
 
On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> I have users personal address books as an ou under their accounts...
>
> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com
>
> but when I try to add an entry, I am blocked...
>
> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
> nentries=0 etime=0
>
> I need an ACi that allows each uid account to read/write entries in OU's
> under their own accounts and the only ACi's I have are the ones
> inherited
----
It would be great if I could get some help here.

I know that in OpenLDAP, ACL's are processed top down and so I'm looking
at the ACi's that would govern here.

dc=example,dc=com has the following ACI (the second one after anonymous
access)...

(targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod
||preferredLanguage ||registeredAddress ||roomNumber ||secretary
||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title
||userCertificate ||userPassword ||userSMIMECertificate
||x500UniqueIdentifier")
(version 3.0;
acl "Enable self write for common attributes";
allow (write)
(userdn = "ldap:///self")
;)

and I added one more (it's on the bottom of the list - #7)...

(targetattr = "*") (version 3.0;acl "Personal Address Books";allow
(write)(userdn = "ldap:///self");)

but still...

[31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND
dn="uid=administrator,ou=People,ou=Accounts,dc=exa mple,dc=com"
method=128 version=3
[31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=administrator,ou=people,ou=accounts,dc=exa mple,dc=com"
[31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=administrator,ou=Pe ople,ou=Accounts,dc=example,dc=com"
[31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105
nentries=0 etime=0

Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich Megginson 09-02-2008 03:26 PM

ACI help
 
Craig White wrote:

On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:


I have users personal address books as an ou under their accounts...

ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com

but when I try to add an entry, I am blocked...

[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
nentries=0 etime=0

I need an ACi that allows each uid account to read/write entries in OU's
under their own accounts and the only ACi's I have are the ones
inherited


----
It would be great if I could get some help here.

The ACL Summary error log level can provide some clues.
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting

I know that in OpenLDAP, ACL's are processed top down and so I'm looking
at the ACi's that would govern here.

dc=example,dc=com has the following ACI (the second one after anonymous
access)...

(targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials
||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod
||preferredLanguage ||registeredAddress ||roomNumber ||secretary
||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title
||userCertificate ||userPassword ||userSMIMECertificate
||x500UniqueIdentifier")

(version 3.0;
acl "Enable self write for common attributes";
allow (write)
(userdn = "ldap:///self")
;)

and I added one more (it's on the bottom of the list - #7)...

(targetattr = "*") (version 3.0;acl "Personal Address Books";allow
(write)(userdn = "ldap:///self");)


but still...

[31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND
dn="uid=administrator,ou=People,ou=Accounts,dc=exa mple,dc=com"
method=128 version=3
[31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=administrator,ou=people,ou=accounts,dc=exa mple,dc=com"
[31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=administrator,ou=Pe ople,ou=Accounts,dc=example,dc=com"
[31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105
nentries=0 etime=0


Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Craig White 09-02-2008 03:35 PM

ACI help
 
On Tue, 2008-09-02 at 09:26 -0600, Rich Megginson wrote:
> Craig White wrote:
> > On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> >
> >> I have users personal address books as an ou under their accounts...
> >>
> >> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com
> >>
> >> but when I try to add an entry, I am blocked...
> >>
> >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
> >> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
> >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
> >> nentries=0 etime=0
> >>
> >> I need an ACi that allows each uid account to read/write entries in OU's
> >> under their own accounts and the only ACi's I have are the ones
> >> inherited
> >>
> > ----
> > It would be great if I could get some help here.
> >
> The ACL Summary error log level can provide some clues.
> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
----
I've been all over that and I understand that err=50 is insufficient
access and I've read all the pages I can find on the wiki and the 7.1
support pages but it's not helping.

I hate to say this but I can do this so simply with OpenLDAP and I'm
mystified why it is so difficult to do on Fedora-DS

Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich Megginson 09-02-2008 03:59 PM

ACI help
 
Rich Megginson wrote:

Craig White wrote:

On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:


I have users personal address books as an ou under their accounts...

ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com

but when I try to add an entry, I am blocked...

[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"


[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
nentries=0 etime=0

I need an ACi that allows each uid account to read/write entries in
OU's

under their own accounts and the only ACi's I have are the ones
inherited


----
It would be great if I could get some help here.

The ACL Summary error log level can provide some clues.
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting

I know that in OpenLDAP, ACL's are processed top down and so I'm looking
at the ACi's that would govern here.

dc=example,dc=com has the following ACI (the second one after anonymous
access)...

(targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress
||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
||postOfficeBox ||postalAddress ||postalCode
||preferredDeliveryMethod ||preferredLanguage ||registeredAddress
||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
||telexNumber ||title ||userCertificate ||userPassword
||userSMIMECertificate ||x500UniqueIdentifier")

(version 3.0;
acl "Enable self write for common attributes";
allow (write)
(userdn = "ldap:///self")
;)

and I added one more (it's on the bottom of the list - #7)...

(targetattr = "*") (version 3.0;acl "Personal Address Books";allow
(write)(userdn = "ldap:///self");)
Have you tried the "add" right, to allow users to add entries under
their entries?

*http://tinyurl.com/3yo88r*

I'm not sure if self will work here - you might have to use a macro ACI
in which the uid part of the target matches the uid part of the subject
- see

http://tinyurl.com/59ehxh


but still...

[31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND
dn="uid=administrator,ou=People,ou=Accounts,dc=exa mple,dc=com"
method=128 version=3
[31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=administrator,ou=people,ou=accounts,dc=exa mple,dc=com"
[31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=administrator,ou=Pe ople,ou=Accounts,dc=example,dc=com"

[31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105
nentries=0 etime=0


Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



------------------------------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Craig White 09-02-2008 05:58 PM

ACI help
 
On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:
> Rich Megginson wrote:
> > Craig White wrote:
> >> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> >>
> >>> I have users personal address books as an ou under their accounts...
> >>>
> >>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com
> >>>
> >>> but when I try to add an entry, I am blocked...
> >>>
> >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
> >>> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
> >>>
> >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
> >>> nentries=0 etime=0
> >>>
> >>> I need an ACi that allows each uid account to read/write entries in
> >>> OU's
> >>> under their own accounts and the only ACi's I have are the ones
> >>> inherited
> >>>
> >> ----
> >> It would be great if I could get some help here.
> >>
> > The ACL Summary error log level can provide some clues.
> > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >> I know that in OpenLDAP, ACL's are processed top down and so I'm looking
> >> at the ACi's that would govern here.
> >>
> >> dc=example,dc=com has the following ACI (the second one after anonymous
> >> access)...
> >>
> >> (targetattr = "carLicense ||description ||displayName
> >> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress
> >> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
> >> ||postOfficeBox ||postalAddress ||postalCode
> >> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress
> >> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
> >> ||telexNumber ||title ||userCertificate ||userPassword
> >> ||userSMIMECertificate ||x500UniqueIdentifier")
> >> (version 3.0;
> >> acl "Enable self write for common attributes";
> >> allow (write)
> >> (userdn = "ldap:///self")
> >> ;)
> >>
> >> and I added one more (it's on the bottom of the list - #7)...
> >>
> >> (targetattr = "*") (version 3.0;acl "Personal Address Books";allow
> >> (write)(userdn = "ldap:///self");)
> Have you tried the "add" right, to allow users to add entries under
> their entries?
> *http://tinyurl.com/3yo88r*
>
> I'm not sure if self will work here - you might have to use a macro ACI
> in which the uid part of the target matches the uid part of the subject
> - see
> http://tinyurl.com/59ehxh
> >>
----
I'm not sure if 'self' will work here either...nothing seems to work.

This is the ACL that works for me in OpenLDAP...

access to
dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$"
attrs=children,entry,inetOrgPerson,organizationalP erson
by dn.exact,expand="uid=$1,ou=People,dc=example,dc=co m" write
by dn.exact="uid=administrator,ou=People,dc=example,d c=com"
write
by * none

I am hesitant to fool with the access control while there are people
working on the network but the above is exactly what I want to work in
Fedora-DS

Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich Megginson 09-02-2008 06:10 PM

ACI help
 
Craig White wrote:

On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:


Rich Megginson wrote:


Craig White wrote:


On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:



I have users personal address books as an ou under their accounts...

ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com

but when I try to add an entry, I am blocked...

[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"


[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
nentries=0 etime=0

I need an ACi that allows each uid account to read/write entries in
OU's

under their own accounts and the only ACi's I have are the ones
inherited



----
It would be great if I could get some help here.


The ACL Summary error log level can provide some clues.
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting


I know that in OpenLDAP, ACL's are processed top down and so I'm looking
at the ACi's that would govern here.

dc=example,dc=com has the following ACI (the second one after anonymous
access)...

(targetattr = "carLicense ||description ||displayName
||facsimileTelephoneNumber ||homePhone ||homePostalAddress
||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
||postOfficeBox ||postalAddress ||postalCode
||preferredDeliveryMethod ||preferredLanguage ||registeredAddress
||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
||telexNumber ||title ||userCertificate ||userPassword
||userSMIMECertificate ||x500UniqueIdentifier")

(version 3.0;
acl "Enable self write for common attributes";
allow (write)
(userdn = "ldap:///self")
;)

and I added one more (it's on the bottom of the list - #7)...

(targetattr = "*") (version 3.0;acl "Personal Address Books";allow
(write)(userdn = "ldap:///self");)

Have you tried the "add" right, to allow users to add entries under
their entries?

*http://tinyurl.com/3yo88r*

I'm not sure if self will work here - you might have to use a macro ACI
in which the uid part of the target matches the uid part of the subject
- see

http://tinyurl.com/59ehxh


----
I'm not sure if 'self' will work here either...nothing seems to work.

This is the ACL that works for me in OpenLDAP...

access to
dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$"
attrs=children,entry,inetOrgPerson,organizationalP erson
by dn.exact,expand="uid=$1,ou=People,dc=example,dc=co m" write
by dn.exact="uid=administrator,ou=People,dc=example,d c=com"
write
by * none


This looks like a macro ACI. Have you tried a macro ACI in conjunction
with the "add" right?

I am hesitant to fool with the access control while there are people
working on the network but the above is exactly what I want to work in
Fedora-DS

Craig

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

James Chavez 01-05-2009 06:23 AM

ACI help
 
Hello,

I am using FDS as a replacement for NIS for user authentication and
group and host entries.

I am looking to allow anonymous searches of the directory but to
disallow the visibility of the userPassword attribute.

I would like to allow access to the userPassword attribute to only the
user that is authenticating to the directory for logins.

I have read the ACI chapter on the Directory services Administrator's
guide but I am still struggling a bit.

Thank you
James

CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

"John A. Sullivan III" 01-05-2009 09:41 AM

ACI help
 
On Mon, 2009-01-05 at 00:23 -0700, James Chavez wrote:
> Hello,
>
> I am using FDS as a replacement for NIS for user authentication and
> group and host entries.
>
> I am looking to allow anonymous searches of the directory but to
> disallow the visibility of the userPassword attribute.
>
> I would like to allow access to the userPassword attribute to only the
> user that is authenticating to the directory for logins.
>
> I have read the ACI chapter on the Directory services Administrator's
> guide but I am still struggling a bit.
>
<snip>
We deleted the anonymous access rule so I don't have it in front of me
but I believe it defaults to not allowing access to the userPassword
attribute. I don't have an idm-console handy but I believe you can
check by right clicking on your top level container, viewing the ACIs,
selecting the anonymous access, going to the attribute tab, clicking on
the attribute column header to sort alphabetically and scrolling toward
the end. See if the usePassword attribute is unchecked. If not,
uncheck it. If you have enabled SAMBA extensions, you may also want to
uncheck the NTPassword and, oops! - forgot the other one but something
like LMPassword. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Josh Ellsworth 09-17-2012 11:58 AM

ACI help
 
I am trying to grant a specific group the ability to edit one attribute. I have the following ACI in place with no success:

*

(targetattr ="description")(version 3.0;acl "evolvadmins description modify";allow(all) (groupdn = "ldap:///cn=evolvadmins,ou=Groups,dc=evolv,dc=com");)

*

Any ideas what I need to do? Any good guides to troubleshooting and writing ACIs?

*

Josh

*

--

Joshua Ellsworth

Senior Systems Administrator, Primatics Financial

Phone: 571.765.7528

jellsworth@primaticsfinancial.com

*




--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 04:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.