Re: Migration from OpenLDAP to 389 DS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

389-ds has an access control mechanism which allows fine grained access to entries, attributes for different types of operation and based on various criteria like d,n group membership, role,.... and you should get familiar with the basics before just adding specific acis:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control

for your specific request you could do something like:

dn: l=kranj,c=si
aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all ) userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";)

not that in 389-ds acis have to be placed at the top of the subtree they should apply

Ludwig

On 06/22/2017 12:31 PM, Kalan Blaz wrote:

Hi Mark,

 

Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two “super users” which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my “super users” are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch:

 

ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses

# numResponses: 108

 

ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses

# numResponses: 1

 

So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does?

 

Best regards,

Blaz



_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux