FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-21-2012, 11:26 AM
Matti Alho
 
Default ACI question

Hi,

One ACI related question. I've been learning to use ACIs and read
various documentation. Let's say we have the following structure.


...
cn=Customer1,ou=Sales,dc=domain,dc=com
cn=Customer2,ou=Sales,dc=domain,dc=com
....

Then we have servers authenticating using credentials.
...
uid=server1,cn=VirtualServers,ou=Servers,dc=domain ,dc=com
uid=server2,cn=VirtualServers,ou=Servers,dc=domain ,dc=com
...

Question: What kind of ACI is needed to limit server1 access to read
Customer1 entry only?
Would I need to create an ACI for each server separately? I was
wondering that one should limit the amount of ACIs, so is there some
other way to achieve this? Thanks for help!

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-24-2012, 07:16 PM
Mark Reynolds
 
Default ACI question

On 09/21/2012 07:26 AM, Matti Alho wrote:

Hi,

One ACI related question. I've been learning to use ACIs and read
various documentation. Let's say we have the following structure.


...
cn=Customer1,ou=Sales,dc=domain,dc=com
cn=Customer2,ou=Sales,dc=domain,dc=com
....

Then we have servers authenticating using credentials.
...
uid=server1,cn=VirtualServers,ou=Servers,dc=domain ,dc=com
uid=server2,cn=VirtualServers,ou=Servers,dc=domain ,dc=com
...

Question: What kind of ACI is needed to limit server1 access to read
Customer1 entry only?
Would I need to create an ACI for each server separately? I was
wondering that one should limit the amount of ACIs, so is there some
other way to achieve this? Thanks for help!
If you need something like: s1 -> c1, s2 -> c2, s3 -> c3... Then you
have two options, add individual aci's, or macro aci's. Macro aci's can
be a litte tricky, so without knowing what your data looks like, I'm not
sure if macro aci's can actually be used.


So the individual aci would look like:

aci: (targetattr = "*") (target =
"ldap:///cn=Customer1,ou=Sales,dc=domain,dc=com") (version 3.0;acl
"TEST";allow (read,search,compare)
(userdn =
"ldap:///uid=server1,cn=VirtualServers,ou=Servers,dc=domain ,dc=com ")


This is pretty basic, but adding thousands of aci's will impact
performance. There are many ways you could this, but they all require
extra work. Macro aci's are the best way to go(if possible), or you
could use "filtered roles", and use roledn instead of userdn in the aci,
but this isn't necessarily an easier approach as you might need to add
"extra" attributes to your entries(for role filtering). It's something
to look into.


Regards,
Mark

--

389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


--
Mark Reynolds
Red Hat, Inc
mreynolds@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:19 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org