|
Hi Everyone,
A question about how to best go about doing access control on db-linked directories. Given the below 2-directory setup (Dir1 has a db link set up to Dir2, and vice versa), is the shown ACI setup possible/advisable? If not, what’s the best way to make it work?:
Dir1:
dc=example,dc=com
ou=employees
uid=alice
uid=bob
cn=admins
member:uid=alice,ou=employees,dc=example,dc=com
Dir2:
dc=example,dc=com
ou=projects
aci:(targetattr ="*")(version 3.0;acl “Admins Group";allow (all) (groupdn = "ldap:///cn=admins,dc=example,dc=com");)
I ask because section 2.3.6. Database Links and Access Control Evaluation, of the RHDS Admin Guide says:
I’m afraid the phrasing is a little opaque to my understanding. Does it mean that “Admin Groups” act on Dir2 is not allowed to refer to cn=admins,dc=example,dc=com
on Dir1?
If so, then what is the best way of maintaining groups centrally but allowing them to be used on remote directories?
*Bonus Question:
Say Alice only has access to Dir1, she can issue a search to ou=projects because of the DB link from Dir1 —> Dir2. When the aci on ou=projects is processed, which user is used? uid=alice
or the proxy user of the db link? Will the aci work at all in this case?
Thanks a lot,
Trev
_________________________________________________
Trevor Fong
Senior Programmer Analyst
Information Technology | Engage. Envision. Enable.
The University of British Columbia
|
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
