On Mar 6, 2014, at 11:32 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote: > > On 03/04/2014 11:10 PM, Morgan Jones wrote: >> >> >> On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote: >> >>>>> Are groups involved in the acis and do these groups during these runs ? >>>> Yes, most of our ACIs use groups to determine access. I'm not sure I understand the second part of your question though. >>> you can't, it was incomplete. I wanted to know if these groups are modified during the runs when you see the failure. >>>> I do suspect this has something to do with access control though as it's behaving exactly like the user is denied by the ACIs. >> No, groups were not modified. They are relatively small as we're still migrating to this environment--maybe 10-15 DNs per group and they're only modified when we add/remove privileged accounts which isn't very often. >> >>>>> Could you post your acis ? >>>> Probably. I'm working on permission to do so. >> The compromise I came to with my management and security team is to obfuscate the ACIs such that the attribute counts and structure are intact but the names are changed. Is the below useful? > yes, but II can't see anything wrong with the acis. Thanks for your input on the ACIs. > One more question. Do the searches always match only one entry or one they should see and some they shouldn't ? In every case where we've seen this problem it's a search for one entry (uid=username) that the bind dn is able to see. Thanks for your input, we're working on repeating it reliably in 389. >> >> # Employee LDAP Access Control >> # >> dn: dc=domain,dc=org >> changetype: modify >> replace: aci >> # >> aci: (target = "ldap:///ou=employees,dc=domain,dc=org") >> (targetattr = "userpassword") >> (version 3.0; acl "limited user self write"; >> allow (write) userdn = "ldap:///self";) >> # >> aci: (target = "ldap:///dc=domain,dc=org" ) >> (targetfilter = "(|(objectclass=orgAssociate)(objectclass=orgEmployee)(objectclass=domain) >> (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))") >> (targetattr = "attr1 || attr2 || ... || attr40") >> (version 3.0; acl "general access, replaces anonymous access"; >> allow (read, search, compare) >> (userdn = "ldap:///self") or >> (groupdn = "ldap:///cn=orgGroup1,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup3,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org") >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org" ) >> (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain) >> (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))") >> (targetattr = "attr1 || attr2 || ... || attr40 ") >> (version 3.0; acl "general access, replaces anonymous access"; >> allow (read, search, compare) >> (userdn = "ldap:///self") or >> (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org") >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org") >> (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain) >> (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=orgServiceAccount)(objectclass=orgOrgAccount))") >> (targetattr = "attr1 || attr2 || ... || attr40") >> (version 3.0; acl "general access plus service and organizational accounts"; >> allow (read, search, compare) >> (userdn = "ldap:///self") or >> (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org") >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org")(targetattr = "attr1 || >> attr2 || ... || attr30") >> (version 3.0; acl "limited read access to non-public attributes for delegated admins"; >> allow (read, search, compare) >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org") >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org") >> (targetattr = "attr1 || attr2 || ... || attr28") >> (version 3.0; acl "limited write access for delegated admins"; >> allow (write) groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";) >> # >> aci: (target = "ldap:///dc=domain,dc=org") >> (targetattr = "*")(version 3.0; acl "full access for delegated admins"; >> allow (all) groupdn = "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";) >> # >> aci: (target = "ldap:///dc=domain,dc=org") >> (targetfilter="(memberof=cn=orgGroup6,ou=Groups,dc=domain,dc=org)") >> (targetattr="userpassword") >> (version 3.0; acl "deny non-admin user write access to admin users' passwords"; >> deny (all) groupdn != "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org" >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org") >> (targetattr = "attr1 || attr2 || ... || attr19") >> (version 3.0; acl "access to posixaccount attributes for proxyagent"; >> allow (read,search,compare) userdn = "ldap:///uid=binddn1,ou=svc_accts,dc=domain,dc=org";) >> >> thanks, >> >> -morgan >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users