On 09/21/2012 07:26 AM, Matti Alho wrote:
Hi,
One ACI related question. I've been learning to use ACIs and read
various documentation. Let's say we have the following structure.
...
cn=Customer1,ou=Sales,dc=domain,dc=com
cn=Customer2,ou=Sales,dc=domain,dc=com
....
Then we have servers authenticating using credentials.
...
uid=server1,cn=VirtualServers,ou=Servers,dc=domain,dc=com
uid=server2,cn=VirtualServers,ou=Servers,dc=domain,dc=com
...
Question: What kind of ACI is needed to limit server1 access to read
Customer1 entry only?
Would I need to create an ACI for each server separately? I was
wondering that one should limit the amount of ACIs, so is there some
other way to achieve this? Thanks for help!
If you need something like: s1 -> c1, s2 -> c2, s3 -> c3... Then you
have two options, add individual aci's, or macro aci's. Macro aci's can
be a litte tricky, so without knowing what your data looks like, I'm not
sure if macro aci's can actually be used.
So the individual aci would look like:
aci: (targetattr = "*") (target =
"ldap:///cn=Customer1,ou=Sales,dc=domain,dc=com";) (version 3.0;acl
"TEST";allow (read,search,compare)
(userdn =
"ldap:///uid=server1,cn=VirtualServers,ou=Servers,dc=domain,dc=com ");)
This is pretty basic, but adding thousands of aci's will impact
performance. There are many ways you could this, but they all require
extra work. Macro aci's are the best way to go(if possible), or you
could use "filtered roles", and use roledn instead of userdn in the aci,
but this isn't necessarily an easier approach as you might need to add
"extra" attributes to your entries(for role filtering). It's something
to look into.
Regards,
Mark
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Mark Reynolds
Red Hat, Inc
mreynolds@xxxxxxxxxx
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
