>>
>>>>> I'm not an English native speaker, so please forgive me if
there's
>>>>> mistakes in this e-mail.
>>>>>
>>>>> OS : Fedora 30
>>>>> 389ds version / build number : 1.4.1.14 / 2020.023.2226
>>>>>
>>>>> I'm struggling with ACI and despite hours of documentation
reading, I
>>>>> don't understand how to make it work as I want.
>>>>>
>>>>> Basic directory structure
>>>>> ==================
>>>>> dc=domain,dc=tld
>>>>> |
>>>>> +---ou=Servers
>>>>> |
>>>>> +---cn=proxy <---- here is where I add the ACI
>>>>> |
>>>>> +---cn=group1
>>>>> |
>>>>> +---cn=group2
>>>>> ===================
>>>>> Container "proxy" is a "iphost" object.
>>>>>
> Sorry for the messy email. I rewrote it a few times: This should be clearer.
>
> A way to achieve this is with the memberOf plugin.
>
> You enable memberOf plugin on your system. This means that members Of
cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld would have that set into their account such
as:
>
> dn: uid=william,ou=people,dc=domain,dc=tld
> ...
> memberOf: cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld
>
>
> Then you can use:
>
>
> (targetattr = "*") (target =
> "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld") (version 3.0;acl
> "Allow only groups members to query this object";allow (all)
> (userdn =
"ldap:///ou=People,dc=domain,dc=tld??sub??(memberOf=cn=*,cn=proxy,ou=Servers,dc=domain,dc=tld)")
> ;)
>
>
> I haven't tried this my self, but it should work. You'll need to make sure
there is a substring index on memberOf.
it might work, but enabling memberof, and especially substring index for it, could be
very costly.
If the groupdn with the ldap url with filter doesn't work, I think listing all the
groups would be the most efficient method, at the cost that maintining the aci becomes a
more challenging task.
I think acis with groupdn do handle nested groups, so to keep theaci simple, one could
create a group, containing all the groups, eg:
cn=acigroup, cn=proxy1, ..
member: cn=g1, cn=proxy1,...
member: cn=g2, cn=proxy1,..
--------
aci: ............ (groupdn=cn=acigroup, cn=proxy1,...)
This suggestion from Ludwig sounds like the best one so far :)
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia