[389-users] [SOLVED] Re: ACI which allows subtree modification only
Ondrej Ivanič
ondrej.ivanic at gmail.com
Mon Sep 6 00:43:55 UTC 2010
Hi,
On Sat, Sep 4, 2010 at 1:33 AM, Rich Megginson <rmeggins at redhat.com> wrote:
>> ou=UnitA, dc=example, dc=com
>> uid=adminA, ou=UnitA, dc=example, dc=com (member of Admin group)
>> uid=userA1, ou=UnitA, dc=example, dc=com
>> uid=userA2, ou=UnitA, dc=example, dc=com
>> uid=userA3, ou=UnitA, dc=example, dc=com
>> ou=UnitB, dc=example, dc=com
>> uid=adminB, ou=UnitB, dc=example, dc=com (member of Admin group)
>> uid=userB1, ou=UnitB, dc=example, dc=com
>>
>> The idea is that admin could change anything (modify/add/remove
>> attributes) under his 'ou' i.e. adminA has full access to all DNs
>> under ou=UnitA, dc=example, dc=com but no access to ou=UnitB
>>
>> I tried the following ACI:
>> (target="ldap:///($dn)) (targetattr = "*")
>> (version 3.0; acl "Administrator access"; allow (all)
>> roledn="ldap:///cn=Administrator,dc=example,dc=com";)
>>
>> But AdminA could change anything under ou=UnitB. Any ideas how to
>> fix/change ACI?
>
> I don't think that ACI will work - a macro ACI requires the use of ($dn) or
> [$dn] in both the target and the bind rule.
Ops, I missed that part that ($dn) requires [$dn] in docs!
I changed ACI to:
(target="ldap:///($dn)") (targetattr = "*")
(version 3.0; acl "Allow Admin to create users"; allow (add,all)
roledn="ldap:///cn=Admin,[$dn]";)
which works great. Second changed is that each 'ou' has own admin:
ou=UnitA,dc=example,dc=com
cn=admin,ou=UnitA,dc=example,dc=com
uid=adminA,ou=UnitA,dc=example,dc=com (member of
cn=admin,ou=UnitA,dc=example,dc=com)
...
ou=UnitB,dc=example,dc=com
cn=admin,ou=UnitA,dc=example,dc=com
uid=adminB,ou=UnitA,dc=example,dc=com (member of
cn=admin,ou=UnitA,dc=example,dc=com)
...
Thanks,
--
Ondrej Ivanic
(ondrej.ivanic at gmail.com)
More information about the 389-users
mailing list