speedy zinc wrote:
I've created two user entries under People:
Test User: uid=testuser
Jane Doe : uid=JDoe
Here's what I'm trying to achieve with access control:
- Turn off anon access to the entry Test User
- Allow full access to Test User on Test User
- Allow (read, search, compare) to JDoe on Test User,
and
no other users
- Allow full access to "cn=Directory Manager" on Test
User.
- Anon access is still allowed on other entries
So, here is the list of ACIs (besides the inherited
ones)
that I've created on the entry Test User:
(targetattr = "*") (version 3.0;acl "self";allow
(all)(userdn = "ldap:///uid=testuser,ou=People,
dc=dummy,dc=com");)
(targetattr != "userPassword") (version 3.0;acl "No
anonymous access";deny (all)(userdn =
"ldap:///anyone");)
(targetattr = "*") (target =
"ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
(version 3.0;acl "Allow JDoe";allow
(read,compare,search)(userdn =
"ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
With the ACIs above, it seems that the "No anonymous
access"
is taking precendence over the other two. Even the
"Test
User" does not have access to its own data, and JDoe
certainly does not either. The only user who has
access
is the Directory Manager.
How do I achieve my goals with ACI?
Note that ACIs are logically ORed during evaluation. And "deny"
always takes precedence over "allow". So, your ACI
which [deny(all)(userdn="ldap:///anyone")] will take precendence
over the other two. Therefore, even Test User is denied reading
his own data.
You can combine the 3 ACIs above into the following:
(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com")
(version 3.0;acl "Self and JDoe (but no anon to all)";
deny(all)(userdn != "ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
ldap://uid=JDoe,ou=People,dc=dummy,dc=com");)
This tells the server to deny to all on that specific target except
if userdn is "testuser" or "JDoe" .
Hope that helps.
csp
--
Chen Shaopeng
http://www.idsignet.com