[389-users] Client ACI question
Matti Alho
listat at alho.fi
Wed Jan 2 10:41:23 UTC 2013
>> What is the correct way to use allow/deny because if I use default
>> deny on ou=Projects..., it overrides allows.
> deny always has precedence, it cannot be overridden by an allow rule. So
> you should model your acis with allow rules (defining exceptions from
> the default deny).
So basically default allow and deny only entries that are confidential?
>> 2. custom attribute
>> Add a custom attribute somewhere and use that for ACI?
>>
>> I could use some concrete examples. I couldn't find any relevant
>> guides or I'm just blind. :) Thanks for help.
> you could look at the examples here:
> http://port389.org/wiki/Howto:AccessControl
>
> Either use an attribute in the entries you want to allow to be modified
> and use a targetfilter to restrict the allow aci only to those entries.
> Or use a userattr rule, like in the manager example.
How would that translate in practise?
What kind of ACI I would need to achieve the following:
"uid=serveruser1,ou=ServerUsers,dc=domain,dc=com"
==> has access to
"cn=Project1,ou=Projects,dc=domain,dc=com"
AND
"cn=Project2,ou=Projects,dc=domain,dc=com"
==> deny access to other entries in "ou=Projects,dc=domain,dc=com"
If I add an attribute, can I define certain bind users as values?
Thanks for helping out!
-Matti
More information about the 389-users
mailing list