[389-users] Client ACI question
Ludwig Krispenz
lkrispen at redhat.com
Wed Jan 2 10:11:31 UTC 2013
Hi
On 01/02/2013 08:18 AM, Matti Alho wrote:
> Hi,
>
> I have read various documents (including Redhat ones) about ACI
> implementation. But still the following basic scenario confuses me.
>
> * anonymous bind disabled
> * each client server is authenticated with a unique username (e.g.
> "ou=ServerUsers,dc=domain,dc=com")
>
> * "ou=Projects,dc=domain,dc=com" holds confidential data
> ==>
> "uid=serveruser1,ou=ServerUsers,dc=domain,dc=com" should only be able
> to see one or several entries under "ou=Projects,dc=domain,dc=com"
>
> QUESTION: in order to minimize amount of ACIs, how should I setup the
> described situation?
> I have come up with the following options:
>
> 1. allow/deny
> What is the correct way to use allow/deny because if I use default
> deny on ou=Projects..., it overrides allows.
deny always has precedence, it cannot be overridden by an allow rule. So
you should model your acis with allow rules (defining exceptions from
the default deny).
>
> 2. custom attribute
> Add a custom attribute somewhere and use that for ACI?
>
> I could use some concrete examples. I couldn't find any relevant
> guides or I'm just blind. :) Thanks for help.
you could look at the examples here:
http://port389.org/wiki/Howto:AccessControl
Either use an attribute in the entries you want to allow to be modified
and use a targetfilter to restrict the allow aci only to those entries.
Or use a userattr rule, like in the manager example.
Ludwig
>
> -Matti
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list