ACI help
I have users personal address books as an ou under their accounts...
ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com but when I try to add an entry, I am blocked... [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 nentries=0 etime=0 I need an ACi that allows each uid account to read/write entries in OU's under their own accounts and the only ACi's I have are the ones inherited Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> I have users personal address books as an ou under their accounts... > > ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com > > but when I try to add an entry, I am blocked... > > [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD > dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" > [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 > nentries=0 etime=0 > > I need an ACi that allows each uid account to read/write entries in OU's > under their own accounts and the only ACi's I have are the ones > inherited ---- It would be great if I could get some help here. I know that in OpenLDAP, ACL's are processed top down and so I'm looking at the ACi's that would govern here. dc=example,dc=com has the following ACI (the second one after anonymous access)... (targetattr = "carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self") ;) and I added one more (it's on the bottom of the list - #7)... (targetattr = "*") (version 3.0;acl "Personal Address Books";allow (write)(userdn = "ldap:///self");) but still... [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND dn="uid=administrator,ou=People,ou=Accounts,dc=exa mple,dc=com" method=128 version=3 [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=administrator,ou=people,ou=accounts,dc=exa mple,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD dn="cn=Test,ou=AddressBook,uid=administrator,ou=Pe ople,ou=Accounts,dc=example,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105 nentries=0 etime=0 Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
Craig White wrote:
On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: I have users personal address books as an ou under their accounts... ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com but when I try to add an entry, I am blocked... [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 nentries=0 etime=0 I need an ACi that allows each uid account to read/write entries in OU's under their own accounts and the only ACi's I have are the ones inherited ---- It would be great if I could get some help here. The ACL Summary error log level can provide some clues. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I know that in OpenLDAP, ACL's are processed top down and so I'm looking at the ACi's that would govern here. dc=example,dc=com has the following ACI (the second one after anonymous access)... (targetattr = "carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self") ;) and I added one more (it's on the bottom of the list - #7)... (targetattr = "*") (version 3.0;acl "Personal Address Books";allow (write)(userdn = "ldap:///self");) but still... [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND dn="uid=administrator,ou=People,ou=Accounts,dc=exa mple,dc=com" method=128 version=3 [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=administrator,ou=people,ou=accounts,dc=exa mple,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD dn="cn=Test,ou=AddressBook,uid=administrator,ou=Pe ople,ou=Accounts,dc=example,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105 nentries=0 etime=0 Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
On Tue, 2008-09-02 at 09:26 -0600, Rich Megginson wrote:
> Craig White wrote: > > On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: > > > >> I have users personal address books as an ou under their accounts... > >> > >> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com > >> > >> but when I try to add an entry, I am blocked... > >> > >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD > >> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" > >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 > >> nentries=0 etime=0 > >> > >> I need an ACi that allows each uid account to read/write entries in OU's > >> under their own accounts and the only ACi's I have are the ones > >> inherited > >> > > ---- > > It would be great if I could get some help here. > > > The ACL Summary error log level can provide some clues. > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting ---- I've been all over that and I understand that err=50 is insufficient access and I've read all the pages I can find on the wiki and the 7.1 support pages but it's not helping. I hate to say this but I can do this so simply with OpenLDAP and I'm mystified why it is so difficult to do on Fedora-DS Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
Rich Megginson wrote:
Craig White wrote: On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: I have users personal address books as an ou under their accounts... ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com but when I try to add an entry, I am blocked... [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 nentries=0 etime=0 I need an ACi that allows each uid account to read/write entries in OU's under their own accounts and the only ACi's I have are the ones inherited ---- It would be great if I could get some help here. The ACL Summary error log level can provide some clues. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I know that in OpenLDAP, ACL's are processed top down and so I'm looking at the ACi's that would govern here. dc=example,dc=com has the following ACI (the second one after anonymous access)... (targetattr = "carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self") ;) and I added one more (it's on the bottom of the list - #7)... (targetattr = "*") (version 3.0;acl "Personal Address Books";allow (write)(userdn = "ldap:///self");) Have you tried the "add" right, to allow users to add entries under their entries? *http://tinyurl.com/3yo88r* I'm not sure if self will work here - you might have to use a macro ACI in which the uid part of the target matches the uid part of the subject - see http://tinyurl.com/59ehxh but still... [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 BIND dn="uid=administrator,ou=People,ou=Accounts,dc=exa mple,dc=com" method=128 version=3 [31/Aug/2008:10:27:57 -0700] conn=2625 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=administrator,ou=people,ou=accounts,dc=exa mple,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 ADD dn="cn=Test,ou=AddressBook,uid=administrator,ou=Pe ople,ou=Accounts,dc=example,dc=com" [31/Aug/2008:10:27:57 -0700] conn=2625 op=1 RESULT err=50 tag=105 nentries=0 etime=0 Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users ------------------------------------------------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:
> Rich Megginson wrote: > > Craig White wrote: > >> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: > >> > >>> I have users personal address books as an ou under their accounts... > >>> > >>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com > >>> > >>> but when I try to add an entry, I am blocked... > >>> > >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD > >>> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" > >>> > >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 > >>> nentries=0 etime=0 > >>> > >>> I need an ACi that allows each uid account to read/write entries in > >>> OU's > >>> under their own accounts and the only ACi's I have are the ones > >>> inherited > >>> > >> ---- > >> It would be great if I could get some help here. > >> > > The ACL Summary error log level can provide some clues. > > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting > >> I know that in OpenLDAP, ACL's are processed top down and so I'm looking > >> at the ACi's that would govern here. > >> > >> dc=example,dc=com has the following ACI (the second one after anonymous > >> access)... > >> > >> (targetattr = "carLicense ||description ||displayName > >> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress > >> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo > >> ||postOfficeBox ||postalAddress ||postalCode > >> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress > >> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber > >> ||telexNumber ||title ||userCertificate ||userPassword > >> ||userSMIMECertificate ||x500UniqueIdentifier") > >> (version 3.0; > >> acl "Enable self write for common attributes"; > >> allow (write) > >> (userdn = "ldap:///self") > >> ;) > >> > >> and I added one more (it's on the bottom of the list - #7)... > >> > >> (targetattr = "*") (version 3.0;acl "Personal Address Books";allow > >> (write)(userdn = "ldap:///self");) > Have you tried the "add" right, to allow users to add entries under > their entries? > *http://tinyurl.com/3yo88r* > > I'm not sure if self will work here - you might have to use a macro ACI > in which the uid part of the target matches the uid part of the subject > - see > http://tinyurl.com/59ehxh > >> ---- I'm not sure if 'self' will work here either...nothing seems to work. This is the ACL that works for me in OpenLDAP... access to dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$" attrs=children,entry,inetOrgPerson,organizationalP erson by dn.exact,expand="uid=$1,ou=People,dc=example,dc=co m" write by dn.exact="uid=administrator,ou=People,dc=example,d c=com" write by * none I am hesitant to fool with the access control while there are people working on the network but the above is exactly what I want to work in Fedora-DS Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
Craig White wrote:
On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote: Rich Megginson wrote: Craig White wrote: On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote: I have users personal address books as an ou under their accounts... ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com but when I try to add an entry, I am blocked... [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com" [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 nentries=0 etime=0 I need an ACi that allows each uid account to read/write entries in OU's under their own accounts and the only ACi's I have are the ones inherited ---- It would be great if I could get some help here. The ACL Summary error log level can provide some clues. http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting I know that in OpenLDAP, ACL's are processed top down and so I'm looking at the ACi's that would govern here. dc=example,dc=com has the following ACI (the second one after anonymous access)... (targetattr = "carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier") (version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self") ;) and I added one more (it's on the bottom of the list - #7)... (targetattr = "*") (version 3.0;acl "Personal Address Books";allow (write)(userdn = "ldap:///self");) Have you tried the "add" right, to allow users to add entries under their entries? *http://tinyurl.com/3yo88r* I'm not sure if self will work here - you might have to use a macro ACI in which the uid part of the target matches the uid part of the subject - see http://tinyurl.com/59ehxh ---- I'm not sure if 'self' will work here either...nothing seems to work. This is the ACL that works for me in OpenLDAP... access to dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$" attrs=children,entry,inetOrgPerson,organizationalP erson by dn.exact,expand="uid=$1,ou=People,dc=example,dc=co m" write by dn.exact="uid=administrator,ou=People,dc=example,d c=com" write by * none This looks like a macro ACI. Have you tried a macro ACI in conjunction with the "add" right? I am hesitant to fool with the access control while there are people working on the network but the above is exactly what I want to work in Fedora-DS Craig -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
Hello,
I am using FDS as a replacement for NIS for user authentication and group and host entries. I am looking to allow anonymous searches of the directory but to disallow the visibility of the userPassword attribute. I would like to allow access to the userPassword attribute to only the user that is authenticating to the directory for logins. I have read the ACI chapter on the Directory services Administrator's guide but I am still struggling a bit. Thank you James CONFIDENTIALITY This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof. ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity. -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
On Mon, 2009-01-05 at 00:23 -0700, James Chavez wrote:
> Hello, > > I am using FDS as a replacement for NIS for user authentication and > group and host entries. > > I am looking to allow anonymous searches of the directory but to > disallow the visibility of the userPassword attribute. > > I would like to allow access to the userPassword attribute to only the > user that is authenticating to the directory for logins. > > I have read the ACI chapter on the Directory services Administrator's > guide but I am still struggling a bit. > <snip> We deleted the anonymous access rule so I don't have it in front of me but I believe it defaults to not allowing access to the userPassword attribute. I don't have an idm-console handy but I believe you can check by right clicking on your top level container, viewing the ACIs, selecting the anonymous access, going to the attribute tab, clicking on the attribute column header to sort alphabetically and scrolling toward the end. See if the usePassword attribute is unchecked. If not, uncheck it. If you have enabled SAMBA extensions, you may also want to uncheck the NTPassword and, oops! - forgot the other one but something like LMPassword. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users |
ACI help
I am trying to grant a specific group the ability to edit one attribute. I have the following ACI in place with no success:
* (targetattr ="description")(version 3.0;acl "evolvadmins description modify";allow(all) (groupdn = "ldap:///cn=evolvadmins,ou=Groups,dc=evolv,dc=com");) * Any ideas what I need to do? Any good guides to troubleshooting and writing ACIs? * Josh * -- Joshua Ellsworth Senior Systems Administrator, Primatics Financial Phone: 571.765.7528 jellsworth@primaticsfinancial.com * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users |
| All times are GMT. The time now is 12:09 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.