FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-03-2010, 02:45 AM
Ondrej Ivani─Ź
 
Default ACI which allows subtree modification only

Hi,

Is it possible to create ACI which allows any change to subtree under
bind DN? Here is an example:

ou=UnitA, dc=example, dc=com
┬*uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group)
┬*uid=userA1, ou=UnitA, dc=example, dc=com
┬*uid=userA2, ou=UnitA, dc=example, dc=com
┬*uid=userA3, ou=UnitA, dc=example, dc=com
ou=UnitB, dc=example, dc=com
┬*uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group)
┬*uid=userB1, ou=UnitB, dc=example, dc=com

The idea is that admin could change anything (modify/add/remove
attributes) under his 'ou' i.e. adminA has full access to all DNs
under ou=UnitA, dc=example, dc=com but no access to ou=UnitB

I tried the following ACI:
(target="ldap:///($dn)) (targetattr = "*")
┬* ┬* (version 3.0; acl "Administrator access"; allow (all)
┬* ┬* roledn="ldap:///cn=Administrator,dc=example,dc=com"

But AdminA could change anything under ou=UnitB. Any ideas how to
fix/change ACI?

PS. Please CC me because i'm not on the list.

Thanks,
--
Ondrej Ivanic
(ondrej.ivanic@gmail.com)
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-03-2010, 03:33 PM
Rich Megginson
 
Default ACI which allows subtree modification only

Ondrej Ivani─Ź wrote:
> Hi,
>
> Is it possible to create ACI which allows any change to subtree under
> bind DN? Here is an example:
>
> ou=UnitA, dc=example, dc=com
> uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group)
> uid=userA1, ou=UnitA, dc=example, dc=com
> uid=userA2, ou=UnitA, dc=example, dc=com
> uid=userA3, ou=UnitA, dc=example, dc=com
> ou=UnitB, dc=example, dc=com
> uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group)
> uid=userB1, ou=UnitB, dc=example, dc=com
>
> The idea is that admin could change anything (modify/add/remove
> attributes) under his 'ou' i.e. adminA has full access to all DNs
> under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
>
> I tried the following ACI:
> (target="ldap:///($dn)) (targetattr = "*")
> (version 3.0; acl "Administrator access"; allow (all)
> roledn="ldap:///cn=Administrator,dc=example,dc=com"
>
> But AdminA could change anything under ou=UnitB. Any ideas how to
> fix/change ACI?
>
I don't think that ACI will work - a macro ACI requires the use of ($dn)
or [$dn] in both the target and the bind rule.

Start with
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html
> PS. Please CC me because i'm not on the list.
>
> Thanks,
> --
> Ondrej Ivanic
> (ondrej.ivanic@gmail.com)
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-06-2010, 12:43 AM
Ondrej Ivani─Ź
 
Default ACI which allows subtree modification only

Hi,

On Sat, Sep 4, 2010 at 1:33 AM, Rich Megginson <rmeggins@redhat.com> wrote:
>> ou=UnitA, dc=example, dc=com
>> ┬*uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group)
>> ┬*uid=userA1, ou=UnitA, dc=example, dc=com
>> ┬*uid=userA2, ou=UnitA, dc=example, dc=com
>> ┬*uid=userA3, ou=UnitA, dc=example, dc=com
>> ou=UnitB, dc=example, dc=com
>> ┬*uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group)
>> ┬*uid=userB1, ou=UnitB, dc=example, dc=com
>>
>> The idea is that admin could change anything (modify/add/remove
>> attributes) under his 'ou' i.e. adminA has full access to all DNs
>> under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
>>
>> I tried the following ACI:
>> (target="ldap:///($dn)) (targetattr = "*")
>> ┬* ┬*(version 3.0; acl "Administrator access"; allow (all)
>> ┬* ┬*roledn="ldap:///cn=Administrator,dc=example,dc=com"
>>
>> But AdminA could change anything under ou=UnitB. Any ideas how to
>> fix/change ACI?
>
> I don't think that ACI will work - a macro ACI requires the use of ($dn) or
> [$dn] in both the target and the bind rule.

Ops, I missed that part that ($dn) requires [$dn] in docs!

I changed ACI to:
(target="ldap:///($dn)") (targetattr = "*")
(version 3.0; acl "Allow Admin to create users"; allow (add,all)
roledn="ldap:///cn=Admin,[$dn]"

which works great. Second changed is that each 'ou' has own admin:
ou=UnitA,dc=example,dc=com
cn=admin,ou=UnitA,dc=example,dc=com
uid=adminA,ou=UnitA,dc=example,dc=com (member of
cn=admin,ou=UnitA,dc=example,dc=com)
...
ou=UnitB,dc=example,dc=com
cn=admin,ou=UnitA,dc=example,dc=com
uid=adminB,ou=UnitA,dc=example,dc=com (member of
cn=admin,ou=UnitA,dc=example,dc=com)

...

Thanks,
--
Ondrej Ivanic
(ondrej.ivanic@gmail.com)
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 04:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org