1:46 a.m.
I've created two user entries under People:
Test User: uid=testuser
Jane Doe : uid=JDoe
Here's what I'm trying to achieve with access control:
- Turn off anon access to the entry Test User
- Allow full access to Test User on Test User
- Allow (read, search, compare) to JDoe on Test User,
and
no other users
- Allow full access to "cn=Directory Manager" on Test
User.
- Anon access is still allowed on other entries
So, here is the list of ACIs (besides the inherited
ones)
that I've created on the entry Test User:
(targetattr = "*") (version 3.0;acl "self";allow
(all)(userdn = "ldap:///uid=testuser,ou=People,
dc=dummy,dc=com");)
(targetattr != "userPassword") (version 3.0;acl "No
anonymous access";deny (all)(userdn =
"ldap:///anyone");)
(targetattr = "*") (target =
"ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
(version 3.0;acl "Allow JDoe";allow
(read,compare,search)(userdn =
"ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
With the ACIs above, it seems that the "No anonymous
access"
is taking precendence over the other two. Even the
"Test
User" does not have access to its own data, and JDoe
certainly does not either. The only user who has
access
is the Directory Manager.
How do I achieve my goals with ACI?
thanks a lot.
sz.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
3:10 a.m.
speedy zinc wrote:
I've created two user entries under People:
Test User: uid=testuser
Jane Doe : uid=JDoe
Here's what I'm trying to achieve with access control:
- Turn off anon access to the entry Test User
- Allow full access to Test User on Test User
- Allow (read, search, compare) to JDoe on Test User,
and
no other users
- Allow full access to "cn=Directory Manager" on Test
User.
- Anon access is still allowed on other entries
So, here is the list of ACIs (besides the inherited
ones)
that I've created on the entry Test User:
(targetattr = "*") (version 3.0;acl "self";allow
(all)(userdn = "ldap:///uid=testuser,ou=People,
dc=dummy,dc=com");)
(targetattr != "userPassword") (version 3.0;acl "No
anonymous access";deny (all)(userdn =
"ldap:///anyone");)
(targetattr = "*") (target =
"ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
(version 3.0;acl "Allow JDoe";allow
(read,compare,search)(userdn =
"ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
With the ACIs above, it seems that the "No anonymous
access"
is taking precendence over the other two. Even the
"Test
User" does not have access to its own data, and JDoe
certainly does not either. The only user who has
access
is the Directory Manager.
How do I achieve my goals with ACI?
Note that ACIs are logically ORed during evaluation. And "deny"
always takes precedence over "allow". So, your ACI
which [deny(all)(userdn="ldap:///anyone")] will take precendence
over the other two. Therefore, even Test User is denied reading
his own data.
You can combine the 3 ACIs above into the following:
(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com")
(version 3.0;acl "Self and JDoe (but no anon to all)";
deny(all)(userdn != "ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
ldap://uid=JDoe,ou=People,dc=dummy,dc=com");)
This tells the server to deny to all on that specific target except
if userdn is "testuser" or "JDoe" .
Hope that helps.
csp
--
Chen Shaopeng
http://www.idsignet.com
10:47 a.m.
--- Chen Shaopeng <chen_shaopeng(a)idsignet.com> wrote:
Note that ACIs are logically ORed during evaluation.
And "deny"
always takes precedence over "allow". So, your ACI
which [deny(all)(userdn="ldap:///anyone")] will take
precendence
over the other two. Therefore, even Test User is
denied reading
his own data.
You can combine the 3 ACIs above into the following:
(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com")
(version 3.0;acl "Self and JDoe (but no anon to
all)";
deny(all)(userdn !=
"ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
ldap://uid=JDoe,ou=People,dc=dummy,dc=com");)
This tells the server to deny to all on that
specific target except
if userdn is "testuser" or "JDoe" .
Hope that helps.
Thanks a lot, Chen! Exactly what I want :)
sz
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
9:25 a.m.
Another thing to remember about ACIs is that everything is denied by
default. The only things that are allowed are those things which you
explicitly allow. So you don't usually have to create deny rules.
speedy zinc wrote:
I've created two user entries under People:
Test User: uid=testuser
Jane Doe : uid=JDoe
Here's what I'm trying to achieve with access control:
- Turn off anon access to the entry Test User
- Allow full access to Test User on Test User
- Allow (read, search, compare) to JDoe on Test User,
and
no other users
- Allow full access to "cn=Directory Manager" on Test
User.
- Anon access is still allowed on other entries
So, here is the list of ACIs (besides the inherited
ones)
that I've created on the entry Test User:
(targetattr = "*") (version 3.0;acl "self";allow
(all)(userdn = "ldap:///uid=testuser,ou=People,
dc=dummy,dc=com");)
(targetattr != "userPassword") (version 3.0;acl "No
anonymous access";deny (all)(userdn =
"ldap:///anyone");)
(targetattr = "*") (target =
"ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
(version 3.0;acl "Allow JDoe";allow
(read,compare,search)(userdn =
"ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
With the ACIs above, it seems that the "No anonymous
access"
is taking precendence over the other two. Even the
"Test
User" does not have access to its own data, and JDoe
certainly does not either. The only user who has
access
is the Directory Manager.
How do I achieve my goals with ACI?
thanks a lot.
sz.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
6748
days inactive
6748
days old
389-users@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Chen Shaopeng -
Rich Megginson -
speedy zinc