Hi,
Is it possible to create ACI which allows any change to subtree under bind DN? Here is an example:
ou=UnitA, dc=example, dc=com uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group) uid=userA1, ou=UnitA, dc=example, dc=com uid=userA2, ou=UnitA, dc=example, dc=com uid=userA3, ou=UnitA, dc=example, dc=com ou=UnitB, dc=example, dc=com uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group) uid=userB1, ou=UnitB, dc=example, dc=com
The idea is that admin could change anything (modify/add/remove attributes) under his 'ou' i.e. adminA has full access to all DNs under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
I tried the following ACI: (target="ldap:///($dn)) (targetattr = "*") (version 3.0; acl "Administrator access"; allow (all) roledn="ldap:///cn=Administrator,dc=example,dc=com";)
But AdminA could change anything under ou=UnitB. Any ideas how to fix/change ACI?
PS. Please CC me because i'm not on the list.
Thanks, -- Ondrej Ivanic (ondrej.ivanic@gmail.com)
Ondrej Ivanič wrote:
Hi,
Is it possible to create ACI which allows any change to subtree under bind DN? Here is an example:
ou=UnitA, dc=example, dc=com uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group) uid=userA1, ou=UnitA, dc=example, dc=com uid=userA2, ou=UnitA, dc=example, dc=com uid=userA3, ou=UnitA, dc=example, dc=com ou=UnitB, dc=example, dc=com uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group) uid=userB1, ou=UnitB, dc=example, dc=com
The idea is that admin could change anything (modify/add/remove attributes) under his 'ou' i.e. adminA has full access to all DNs under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
I tried the following ACI: (target="ldap:///($dn)) (targetattr = "*") (version 3.0; acl "Administrator access"; allow (all) roledn="ldap:///cn=Administrator,dc=example,dc=com";)
But AdminA could change anything under ou=UnitB. Any ideas how to fix/change ACI?
I don't think that ACI will work - a macro ACI requires the use of ($dn) or [$dn] in both the target and the bind rule.
Start with http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access...
PS. Please CC me because i'm not on the list.
Thanks,
Ondrej Ivanic (ondrej.ivanic@gmail.com) -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi,
On Sat, Sep 4, 2010 at 1:33 AM, Rich Megginson rmeggins@redhat.com wrote:
ou=UnitA, dc=example, dc=com uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group) uid=userA1, ou=UnitA, dc=example, dc=com uid=userA2, ou=UnitA, dc=example, dc=com uid=userA3, ou=UnitA, dc=example, dc=com ou=UnitB, dc=example, dc=com uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group) uid=userB1, ou=UnitB, dc=example, dc=com
The idea is that admin could change anything (modify/add/remove attributes) under his 'ou' i.e. adminA has full access to all DNs under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
I tried the following ACI: (target="ldap:///($dn)) (targetattr = "*") (version 3.0; acl "Administrator access"; allow (all) roledn="ldap:///cn=Administrator,dc=example,dc=com";)
But AdminA could change anything under ou=UnitB. Any ideas how to fix/change ACI?
I don't think that ACI will work - a macro ACI requires the use of ($dn) or [$dn] in both the target and the bind rule.
Ops, I missed that part that ($dn) requires [$dn] in docs!
I changed ACI to: (target="ldap:///($dn)") (targetattr = "*") (version 3.0; acl "Allow Admin to create users"; allow (add,all) roledn="ldap:///cn=Admin,[$dn]";)
which works great. Second changed is that each 'ou' has own admin: ou=UnitA,dc=example,dc=com cn=admin,ou=UnitA,dc=example,dc=com uid=adminA,ou=UnitA,dc=example,dc=com (member of cn=admin,ou=UnitA,dc=example,dc=com) ... ou=UnitB,dc=example,dc=com cn=admin,ou=UnitA,dc=example,dc=com uid=adminB,ou=UnitA,dc=example,dc=com (member of cn=admin,ou=UnitA,dc=example,dc=com)
...
Thanks,
389-users@lists.fedoraproject.org
-
Ondrej Ivanič -
Rich Megginson