Hi
On 01/02/2013 08:18 AM, Matti Alho wrote:
Hi,
I have read various documents (including Redhat ones) about ACI
implementation. But still the following basic scenario confuses me.
* anonymous bind disabled
* each client server is authenticated with a unique username (e.g.
"ou=ServerUsers,dc=domain,dc=com")
* "ou=Projects,dc=domain,dc=com" holds confidential data
==>
"uid=serveruser1,ou=ServerUsers,dc=domain,dc=com" should only be able
to see one or several entries under "ou=Projects,dc=domain,dc=com"
QUESTION: in order to minimize amount of ACIs, how should I setup the
described situation?
I have come up with the following options:
1. allow/deny
What is the correct way to use allow/deny because if I use default
deny on ou=Projects..., it overrides allows.
deny always has precedence, it cannot be overridden by an allow rule. So
you should model your acis with allow rules (defining exceptions from
the default deny).
2. custom attribute
Add a custom attribute somewhere and use that for ACI?
I could use some concrete examples. I couldn't find any relevant
guides or I'm just blind. :) Thanks for help.
you could look at the examples here:
http://port389.org/wiki/Howto:AccessControl
Either use an attribute in the entries you want to allow to be modified
and use a targetfilter to restrict the allow aci only to those entries.
Or use a userattr rule, like in the manager example.
Ludwig
-Matti
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
