ACI to restrict access to sensitive attributes.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks for the tip it put me on the right track. It turns out the anonymous 
access is turned on by default, with the exception of 
the userPassword attribute. This is the aci for dc=ite,dc=gmu,dc=edu:

(targetattr != "userPassword") 
(version 3.0;
acl "Enable Anonymous Access";
allow (read,compare,search)
(userdn = "ldap:///anyone";)
;)

modifying the targetattr to be "userPassword || employeeNumber" gave me the 
expected default hidden behaviour for
employeeNumber. Now adding the following aci to ou=People,dc=ite.dc=gmu
,dc=edu:

(targetattr = "employeeNumber") 
(version 3.0;acl "Allow self to view employeeNumber";
allow (read,search)(userdn = "ldap:///self";)
;)

Gives me exactly the behaviour I was hoping for. Thanks again for the tip.

On 7/28/05, Rich Megginson <rmeggins at redhat.com> wrote:
> 
> By default, FDS will restrict access to everything - that is, you don't 
> need to have an explicit deny unless you have another ACI somewhere that 
> allows other attributes. ACIs work together in this way - when there is a 
> rule that allows some access and a rule that explicitly denies that same 
> access, the deny rule wins. In your case, if this is the only ACI, you don't 
> need the deny clause, you could just do this:
> (target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu") 
> (targetattr ="employeeNumber") 
> (version 3.0;acl "EmployeeNumber";
> allow (read) userdn="ldap:///self"; and authmethod="sasl gssapi";
> )
> 
> Alastair Neil wrote: 
> 
> I am struggling with setting ACIs to restrict access to certain attributes
> I would like the employeenumber attribute to be visible only to the user 
> and 
> only if they are authenticated via sasl gssapi. I have tried several 
> varients of the following:
> 
> 
> (target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu") 
> (targetattr ="employeeNumber") 
> (version 3.0;acl "EmployeeNumber";
> deny (all) userdn="ldap:///anyone"; |
> allow (read) userdn="ldap:///self"; and authmethod="sasl gssapi";
> )
> 
> this one seems to deny access regardless of the authmethod or bindbd used.
> 
> Anyone got any pointers?
> 
> 
> ------------------------------
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
>  
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20050728/7ac84bc8/attachment.html
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux