I need an ACi that allows each uid account to read/write entries in OU's
under their own accounts and the only ACi's I have are the ones
inherited
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
08-31-2008, 07:00 PM
Craig White
ACI help
On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> I have users personal address books as an ou under their accounts...
>
> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com
>
> but when I try to add an entry, I am blocked...
>
> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
> nentries=0 etime=0
>
> I need an ACi that allows each uid account to read/write entries in OU's
> under their own accounts and the only ACi's I have are the ones
> inherited
----
It would be great if I could get some help here.
I know that in OpenLDAP, ACL's are processed top down and so I'm looking
at the ACi's that would govern here.
dc=example,dc=com has the following ACI (the second one after anonymous
access)...
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
09-02-2008, 03:35 PM
Craig White
ACI help
On Tue, 2008-09-02 at 09:26 -0600, Rich Megginson wrote:
> Craig White wrote:
> > On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> >
> >> I have users personal address books as an ou under their accounts...
> >>
> >> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com
> >>
> >> but when I try to add an entry, I am blocked...
> >>
> >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
> >> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
> >> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
> >> nentries=0 etime=0
> >>
> >> I need an ACi that allows each uid account to read/write entries in OU's
> >> under their own accounts and the only ACi's I have are the ones
> >> inherited
> >>
> > ----
> > It would be great if I could get some help here.
> >
> The ACL Summary error log level can provide some clues.
> http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
----
I've been all over that and I understand that err=50 is insufficient
access and I've read all the pages I can find on the wiki and the 7.1
support pages but it's not helping.
I hate to say this but I can do this so simply with OpenLDAP and I'm
mystified why it is so difficult to do on Fedora-DS
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
09-02-2008, 03:59 PM
Rich Megginson
ACI help
Rich Megginson wrote:
Craig White wrote:
On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
I have users personal address books as an ou under their accounts...
(version 3.0;
acl "Enable self write for common attributes";
allow (write)
(userdn = "ldap:///self")
and I added one more (it's on the bottom of the list - #7)...
(targetattr = "*") (version 3.0;acl "Personal Address Books";allow
(write)(userdn = "ldap:///self")
Have you tried the "add" right, to allow users to add entries under
their entries?
*http://tinyurl.com/3yo88r*
I'm not sure if self will work here - you might have to use a macro ACI
in which the uid part of the target matches the uid part of the subject
- see
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
09-02-2008, 05:58 PM
Craig White
ACI help
On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:
> Rich Megginson wrote:
> > Craig White wrote:
> >> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
> >>
> >>> I have users personal address books as an ou under their accounts...
> >>>
> >>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc= example,dc=com
> >>>
> >>> but when I try to add an entry, I am blocked...
> >>>
> >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
> >>> dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou= Accounts,dc=example,dc=com"
> >>>
> >>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
> >>> nentries=0 etime=0
> >>>
> >>> I need an ACi that allows each uid account to read/write entries in
> >>> OU's
> >>> under their own accounts and the only ACi's I have are the ones
> >>> inherited
> >>>
> >> ----
> >> It would be great if I could get some help here.
> >>
> > The ACL Summary error log level can provide some clues.
> > http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
> >> I know that in OpenLDAP, ACL's are processed top down and so I'm looking
> >> at the ACi's that would govern here.
> >>
> >> dc=example,dc=com has the following ACI (the second one after anonymous
> >> access)...
> >>
> >> (targetattr = "carLicense ||description ||displayName
> >> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress
> >> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
> >> ||postOfficeBox ||postalAddress ||postalCode
> >> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress
> >> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
> >> ||telexNumber ||title ||userCertificate ||userPassword
> >> ||userSMIMECertificate ||x500UniqueIdentifier")
> >> (version 3.0;
> >> acl "Enable self write for common attributes";
> >> allow (write)
> >> (userdn = "ldap:///self")
> >>
> >>
> >> and I added one more (it's on the bottom of the list - #7)...
> >>
> >> (targetattr = "*") (version 3.0;acl "Personal Address Books";allow
> >> (write)(userdn = "ldap:///self")
> Have you tried the "add" right, to allow users to add entries under
> their entries?
> *http://tinyurl.com/3yo88r*
>
> I'm not sure if self will work here - you might have to use a macro ACI
> in which the uid part of the target matches the uid part of the subject
> - see
> http://tinyurl.com/59ehxh
> >>
----
I'm not sure if 'self' will work here either...nothing seems to work.
This is the ACL that works for me in OpenLDAP...
access to
dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$"
attrs=children,entry,inetOrgPerson,organizationalP erson
by dn.exact,expand="uid=$1,ou=People,dc=example,dc=co m" write
by dn.exact="uid=administrator,ou=People,dc=example,d c=com"
write
by * none
I am hesitant to fool with the access control while there are people
working on the network but the above is exactly what I want to work in
Fedora-DS
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
09-02-2008, 06:10 PM
Rich Megginson
ACI help
Craig White wrote:
On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:
Rich Megginson wrote:
Craig White wrote:
On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
I have users personal address books as an ou under their accounts...
Have you tried the "add" right, to allow users to add entries under
their entries?
*http://tinyurl.com/3yo88r*
I'm not sure if self will work here - you might have to use a macro ACI
in which the uid part of the target matches the uid part of the subject
- see
http://tinyurl.com/59ehxh
----
I'm not sure if 'self' will work here either...nothing seems to work.
This is the ACL that works for me in OpenLDAP...
access to
dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$"
attrs=children,entry,inetOrgPerson,organizationalP erson
by dn.exact,expand="uid=$1,ou=People,dc=example,dc=co m" write
by dn.exact="uid=administrator,ou=People,dc=example,d c=com"
write
by * none
This looks like a macro ACI. Have you tried a macro ACI in conjunction
with the "add" right?
I am hesitant to fool with the access control while there are people
working on the network but the above is exactly what I want to work in
Fedora-DS
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-05-2009, 06:23 AM
James Chavez
ACI help
Hello,
I am using FDS as a replacement for NIS for user authentication and
group and host entries.
I am looking to allow anonymous searches of the directory but to
disallow the visibility of the userPassword attribute.
I would like to allow access to the userPassword attribute to only the
user that is authenticating to the directory for logins.
I have read the ACI chapter on the Directory services Administrator's
guide but I am still struggling a bit.
Thank you
James
CONFIDENTIALITY
This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
01-05-2009, 09:41 AM
"John A. Sullivan III"
ACI help
On Mon, 2009-01-05 at 00:23 -0700, James Chavez wrote:
> Hello,
>
> I am using FDS as a replacement for NIS for user authentication and
> group and host entries.
>
> I am looking to allow anonymous searches of the directory but to
> disallow the visibility of the userPassword attribute.
>
> I would like to allow access to the userPassword attribute to only the
> user that is authenticating to the directory for logins.
>
> I have read the ACI chapter on the Directory services Administrator's
> guide but I am still struggling a bit.
>
<snip>
We deleted the anonymous access rule so I don't have it in front of me
but I believe it defaults to not allowing access to the userPassword
attribute. I don't have an idm-console handy but I believe you can
check by right clicking on your top level container, viewing the ACIs,
selecting the anonymous access, going to the attribute tab, clicking on
the attribute column header to sort alphabetically and scrolling toward
the end. See if the usePassword attribute is unchecked. If not,
uncheck it. If you have enabled SAMBA extensions, you may also want to
uncheck the NTPassword and, oops! - forgot the other one but something
like LMPassword. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
09-17-2012, 11:58 AM
Josh Ellsworth
ACI help
I am trying to grant a specific group the ability to edit one attribute. I have the following ACI in place with no success:
ACI help
