what's wrong with this ACI?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

speedy zinc wrote:
> I've created two user entries under People:
> 
> Test User: uid=testuser
> Jane Doe : uid=JDoe
> 
> Here's what I'm trying to achieve with access control:
> 
> - Turn off anon access to the entry Test User
> - Allow full access to Test User on Test User
> - Allow (read, search, compare) to JDoe on Test User,
> and
> no other users
> - Allow full access to "cn=Directory Manager" on Test 
> User.
> - Anon access is still allowed on other entries
> 
> So, here is the list of ACIs (besides the inherited
> ones)
> that I've created on the entry Test User:
> 
> (targetattr = "*") (version 3.0;acl "self";allow
> (all)(userdn = "ldap:///uid=testuser,ou=People,
> dc=dummy,dc=com");)
> 
> (targetattr != "userPassword") (version 3.0;acl "No
> anonymous access";deny (all)(userdn =
> "ldap:///anyone";);)
> 
> (targetattr = "*") (target =
> "ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
> (version 3.0;acl "Allow JDoe";allow
> (read,compare,search)(userdn =
> "ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
> 
> With the ACIs above, it seems that the "No anonymous
> access"
> is taking precendence over the other two. Even the
> "Test 
> User" does not have access to its own data, and JDoe 
> certainly does not either. The only user who has
> access 
> is the Directory Manager.
> 
> How do I achieve my goals with ACI?
> 

Note that ACIs are logically ORed during evaluation. And "deny"
always takes precedence over "allow". So, your ACI
which [deny(all)(userdn="ldap:///anyone";)] will take precendence
over the other two. Therefore, even Test User is denied reading
his own data.

You can combine the 3 ACIs above into the following:

(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com";)
(version 3.0;acl "Self and JDoe (but no anon to all)";
deny(all)(userdn != "ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
ldap://uid=JDoe,ou=People,dc=dummy,dc=com";);)

This tells the server to deny to all on that specific target except
if userdn is "testuser" or "JDoe" .

Hope that helps.

csp
-- 
Chen Shaopeng
http://www.idsignet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20051104/b975e726/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux