[389-users] ACI question

[Mark Reynolds]

On 09/21/2012 07:26 AM, Matti Alho wrote:
> Hi,
>
> One ACI related question. I've been learning to use ACIs and read 
> various documentation. Let's say we have the following structure.
>
> ...
> cn=Customer1,ou=Sales,dc=domain,dc=com
> cn=Customer2,ou=Sales,dc=domain,dc=com
> ....
>
> Then we have servers authenticating using credentials.
> ...
> uid=server1,cn=VirtualServers,ou=Servers,dc=domain,dc=com
> uid=server2,cn=VirtualServers,ou=Servers,dc=domain,dc=com
> ...
>
> Question: What kind of ACI is needed to limit server1 access to read 
> Customer1 entry only?
> Would I need to create an ACI for each server separately? I was 
> wondering that one should limit the amount of ACIs, so is there some 
> other way to achieve this? Thanks for help!
If you need something like:  s1 -> c1, s2 -> c2, s3 -> c3...  Then you 
have two options, add individual aci's, or macro aci's.  Macro aci's can 
be a litte tricky, so without knowing what your data looks like, I'm not 
sure if macro aci's can actually be used.

So the individual aci would look like:

aci: (targetattr = "*") (target = 
"ldap:///cn=Customer1,ou=Sales,dc=domain,dc=com") (version 3.0;acl 
"TEST";allow (read,search,compare)
(userdn = 
"ldap:///uid=server1,cn=VirtualServers,ou=Servers,dc=domain,dc=com ");)

This is pretty basic, but adding thousands of aci's will impact 
performance.  There are many ways you could this, but they all require 
extra work.  Macro aci's are the best way to go(if possible), or you 
could use "filtered roles", and use roledn instead of userdn in the aci, 
but this isn't necessarily an easier approach as you might need to add 
"extra" attributes to your entries(for role filtering).  It's something 
to look into.

Regards,
Mark

-- 
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-- 
Mark Reynolds
Red Hat, Inc
mreynolds at redhat.com