On 08/23/2011 09:26 AM, Rich Megginson wrote: > Can you provide the exact aci you used below? >> >> dc=messinet,dc=com (anonymous perms removed, all other defaults intact) >> | >> +-ou=People (allowed dns=localhost,messinet.com,*.messinet.com) >> | >> +-ou=Groups (allowed dns=localhost,messinet.com,*.messinet.com) >> | >> +-ou=Special Users (allowed dns=localhost,messinet.com,*.messinet.com) >> | >> +-ou=Computers (allowed dns=localhost,messinet.com,*.messinet.com) >> | >> +-ou=eGW (allowed dns=localhost,messinet.com,*.messinet.com) >> >> -A Attached, find the original ACIs I used prior to 389-ds-base-1.2.9.6-1.fc15.i686 Since the upgrade, I have needed to leave the following default in place: aci: (targetattr != "userPKCS12 || userPassword")(version 3.0;acl "Enable anon ymous access"; allow (read,compare,search)(userdn = "ldap:///anyone";);) But as you can see, the makes it incredibly difficult to restrict acces based on tree structure as everyone already has read access. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
[root@f15-i686 ~]# ldapsearch -x -D "cn=directory manager" -W -H ldap://[::1] aci=* aci Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=messinet,dc=com> (default) with scope subtree # filter: aci=* # requesting: aci # # messinet.com dn: dc=messinet,dc=com aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow (all) (groupdn = "ldap:///cn=Directory Administrators, dc=messinet,dc=com");) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo logyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc apeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-ds,cn=389 Directory Server,cn=Server Group,cn=ds.messinet.com ,ou=messinet.com,o=NetscapeRoot";) aci: (targetattr = "managerName || physicalDeliveryOfficeName || homePhone || preferredDeliveryMethod || jpegPhoto || assistantName || nsAIMid || birthDate || mozillaHomeCountryName || audio || internationaliSDNNumber || carPhone || postalAddress || note || roomNumber || mozillaWorkStreet2 || givenName || ca rLicense || fileAs || mozillaSecondEmail || userPKCS12 || userPassword || tel etexTerminalIdentifier || mobile || radio || businessRole || otherPostalAddre ss || manager || objectClass || userSMIMECertificate || mozillaHomeStreet || displayName || freeBusyURI || destinationIndicator || telexNumber || employee Number || anniversary || secretary || uid || userCertificate || telex || othe rPhone || st || mozillaCustom4 || mozillaCustom3 || mozillaCustom2 || mozilla Custom1 || calendarURI || description || mozillaHomePostalCode || mail || lab eledUri || businessCategory || homePostalAddress || x500UniqueIdentifier || p ostOfficeBox || ou || seeAlso || registeredAddress || postalCode || homeFacsi mileTelephoneNumber || photo || category || categories || mozillaNickname || companyPhone || mozillaHomeLocalityName || shadowLastChange || title || prima ryPhone || mailer || mozillaWorkUrl || street || pager || assistantPhone || d epartmentNumber || mozillaHomeStreet2 || mozillaUseHtmlMail || mozillaHomeSta te || o || cn || l || initials || otherFacsimileTelephoneNumber || callbackPh one || telephoneNumber || preferredLanguage || facsimileTelephoneNumber || mo zillaHomeUrl || x121Address || employeeType") (version 3.0; acl "Authenticate d user self access"; allow (read,compare,search,write)(userdn = "ldap:///self ");) # Groups, messinet.com dn: ou=Groups,dc=messinet,dc=com aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=Groups , dc=messinet, dc=com") (version 3.0;acl "Anonymous access within messinet.co m domain";allow (read,compare,search)(userdn = "ldap:///anyone";);) aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=Groups , dc=messinet, dc=com") (version 3.0; acl "SSSD access for mobile workstation s";allow (read,compare,search) (userdn = "ldap:///uid=sssd, ou=Special Users, dc=messinet, dc=com");) # People, messinet.com dn: ou=People,dc=messinet,dc=com aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=People , dc=messinet, dc=com") (version 3.0;acl "Anonymous access within messinet.co m domain";allow (read,compare,search)(userdn = "ldap:///anyone";);) aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=People , dc=messinet, dc=com") (version 3.0; acl "SSSD access for mobile workstation s"; allow (read,compare,search) (userdn = "ldap:///uid=sssd, ou=Special Users , dc=messinet, dc=com");) # Special Users, messinet.com dn: ou=Special Users,dc=messinet,dc=com aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=Specia l Users,dc=messinet, dc=com") (version 3.0;acl "Anonymous access within messi net.com domain";allow (read,compare,search)(userdn = "ldap:///anyone";);) # eGW, messinet.com dn: ou=eGW,dc=messinet,dc=com aci: (targetattr = "*") (target = "ldap:///ou=*,ou=eGW,dc=messinet,dc=com";) (v ersion 3.0;acl "eGW Admin access";allow (read,compare,search,write,delete,add )(userdn = "ldap:///uid=egw,ou=Special Users,dc=messinet, dc=com");) aci: (targetattr = "homePhone || mobile || objectClass || otherPhone || mozill aCustom4 || mozillaCustom3 || mozillaCustom2 || mozillaCustom1 || mail || hom eFacsimileTelephoneNumber || companyPhone || primaryPhone || assistantPhone | | cn || otherFacsimileTelephoneNumber || callbackPhone || telephoneNumber || facsimileTelephoneNumber") (target = "ldap:///ou=eGW,dc=messinet,dc=com";) (ve rsion 3.0;acl "Asterisk FAX Gateway/eGW phone and email list access";allow (r ead,compare,search)(userdn = "ldap:///uid=asterisk,ou=Special Users,dc=messin et, dc=com");) # accounts, messinet.com, eGW, messinet.com dn: ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=accoun ts,($dn),ou=eGW,dc=messinet,dc=com") (version 3.0;acl "eGW messinet.com accou nt list access";allow (read,compare,search) (userdn = "ldap:///uid=*,ou=accou nts,($dn),ou=eGW,dc=messinet,dc=com");) aci: (targetattr = "objectClass || uid") (target = "ldap:///ou=accounts,ou=mes sinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0; acl "Apache/eGW account l ist access"; allow (read,compare,search) (userdn = "ldap:///uid=apache, ou=Sp ecial Users,dc=messinet,dc=com");) aci: (targetattr = "homePhone || mobile || objectClass || otherPhone || mozill aCustom4 || mozillaCustom3 || mozillaCustom2 || mozillaCustom1 || mail || hom eFacsimileTelephoneNumber || companyPhone || primaryPhone || assistantPhone | | cn || otherFacsimileTelephoneNumber || callbackPhone || telephoneNumber || facsimileTelephoneNumber") (target = "ldap:///ou=accounts,ou=messinet.com,ou= eGW,dc=messinet,dc=com") (version 3.0;acl "Asterisk/eGW account list access"; allow (read,compare,search)(userdn = "ldap:///uid=asterisk,ou=Special Users,d c=messinet, dc=com");) aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=accoun ts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "System/eGW a ccount list access";allow (read,compare,search) (userdn = "ldap:///uid=*,ou=P eople,dc=messinet,dc=com");) # personal, contacts, messinet.com, eGW, messinet.com dn: ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com aci: (targetattr = "*") (target = "ldap:///cn=($dn),ou=personal,ou=contacts,ou =messinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "System/eGW person al addressbook access";allow (read,compare,search) (userdn = "ldap:///uid=[$d n],ou=People,dc=messinet,dc=com");) aci: (targetattr = "*") (target = "ldap:///cn=($dn),ou=personal,ou=contacts,ou =messinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "eGW messinet.com personal addressbook access";allow (read,compare,search,write,delete,add)(use rdn = "ldap:///uid=[$dn],ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=co m");) # shared, contacts, messinet.com, eGW, messinet.com dn: ou=shared,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com aci: (targetattr = "*") (target = "ldap:///($dn),ou=shared,ou=contacts,ou=mess inet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "eGW messinet.com group addressbook access";allow (read,compare,search,write,delete,add)(groupdn = " ldap:///[$dn],ou=groups,ou=messinet.com,ou=eGW,dc=messinet,dc=com";);) aci: (targetattr = "*") (target = "ldap:///($dn),ou=shared,ou=contacts,ou=mess inet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "System/eGW group addre ssbook access";allow (read,compare,search) (groupdn = "ldap:///[$dn],ou=sasl- groups,ou=messinet.com,ou=eGW,dc=messinet,dc=com");) # groups, messinet.com, eGW, messinet.com dn: ou=groups,ou=messinet.com,ou=eGW,dc=messinet,dc=com aci: (targetattr = "objectClass || member") (target = "ldap:///cn=*,ou=groups, ou=messinet.com,ou=eGW,dc=messinet,dc=com") (version 3.0;acl "Apache/eGW grou p list access";allow (read,compare,search)(userdn = "ldap:///uid=apache, ou=S pecial Users,dc=messinet, dc=com");) # Computers, messinet.com dn: ou=Computers,dc=messinet,dc=com aci: (targetattr != "userPKCS12 || userPassword") (target = "ldap:///ou=Comput ers,dc=messinet,dc=com") (version 3.0;acl "Anonymous access within messinet.c om domain";allow (read,compare,search)(userdn = "ldap:///anyone";) and (dns="l ocalhost" or dns="messinet.com" or dns="*.messinet.com");) # search result search: 2 result: 0 Success # numResponses: 11 # numEntries: 10
Attachment:
signature.asc
Description: OpenPGP digital signature
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
