[389-users] Client ACI question
Matti Alho
listat at alho.fi
Wed Jan 2 07:18:18 UTC 2013
Hi,
I have read various documents (including Redhat ones) about ACI
implementation. But still the following basic scenario confuses me.
* anonymous bind disabled
* each client server is authenticated with a unique username (e.g.
"ou=ServerUsers,dc=domain,dc=com")
* "ou=Projects,dc=domain,dc=com" holds confidential data
==>
"uid=serveruser1,ou=ServerUsers,dc=domain,dc=com" should only be able to
see one or several entries under "ou=Projects,dc=domain,dc=com"
QUESTION: in order to minimize amount of ACIs, how should I setup the
described situation?
I have come up with the following options:
1. allow/deny
What is the correct way to use allow/deny because if I use default deny
on ou=Projects..., it overrides allows.
2. custom attribute
Add a custom attribute somewhere and use that for ACI?
I could use some concrete examples. I couldn't find any relevant guides
or I'm just blind. :) Thanks for help.
-Matti
More information about the 389-users
mailing list