ACI

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2005-12-04 at 17:44 -0500, Jeff Clowser wrote:
> Craig White wrote:
> 
> >I have personal address books...each user would have one - i.e.
> >
> >ou=AddressBook,uid=craig,ou=People,dc=azapple,dc=com
> >ou=AddressBook,uid=jennifer,ou=People,dc=azapple,dc=com
> >
> >and my thinking is that each person can read/write/delete/etc. their own
> >address book, authenticated users can read and anonymous is denied.
> >  
> >
> First, a comment on this:  Does user craig really want user jennifer to 
> see his "personal" addressbooks?  Typically, "personal" addressbooks are 
> only visible by the person that owns them.  I know I'm questioning your 
> requirements rather than telling you how to implement what you want, but 
> thought I'd ask :)
----
finally got through my initial setup to work on these issues and can
reply back.

Most of my setups are for my clients and they do have workgroups where
they would possibly need to share address books. So I generally have
company wide address books and personal address books and permit at
least some sharing of the personal address books. In addition, since the
typical address book clients that people would use (Outlook/Thunderbird)
are incapable of creating/editing entries, it requires some other
application that some of the people are less than eager to use which
means that the maintenance of them falls to their underlings
----
> 
> >Thus I created 3 rules and they aren't working because an
> >unauthenticated/anonymous bind still can view them...
> >  
> >
> My guess is that at the top of your tree, you have an aci that allows 
> anonymous to see stuff (probably something like anonymous can 
> read/search all but userpassword, etc).  Aci's at the top are inherited 
> "down the tree", so they are visible because of that, not because of 
> your new aci's.  It's usually hard to create a deny aci for a lower 
> branch of the tree that works without breaking something else, and I 
> always try to avoid deny aci's (because they always take precedence and 
> can never be overridden by any allow aci's, causing some potentially 
> unexpected results).
----
Yeah you are correct on all these accounts. Obviously the default rule
is always to not allow whatever isn't expressly permitted and yes, there
was the default anonymous allow rule that played into it.

What I did discover was if I attached the following ACI to
ou=AddressBook,dc=clsurvey,dc=com it doesn't work but if I attach it to
dc=clsurvey,dc=com it does work.

(targetattr = "*") 
(target = "ldap:///*,ou=AddressBook,dc=clsurvey,dc=com";) 
(version 3.0;
acl "AddressBook Administrator";
allow (all)
(userdn =
"ldap:///uid=Administrator,ou=People,ou=Accounts,dc=clsurvey,dc=com";)
;)


Thanks

Craig




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux