Re: ACI help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2017-09-06 at 16:55 -0300, Alberto Viana wrote:
> Hi Folks,
> 
> 389-Directory/1.3.7.3.20170901gite67788a B2017.244.1727
> 
> I'm trying to give a specific read/search/compare permissions to an user in
> a sub OU in my tree.
> 
> I deleted the default ACI "anonymous access" (For tests purposes)
> 
> I'm tried the following ACIs:
> 
> OU scope:
> 
> dn: OU=pop-ac,ou=pops,dc=my,dc=domain
> changetype: modify
> add: aci
> aci: (targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC
> Permissions";allow (read,search,compare)
> userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";;)
> 
> Log:
> 06/Sep/2017:16:15:32.427750186 -0300] - DEBUG - NSACLPlugin -
> print_access_control_summary - conn=47 op=1 (main): Deny search on
> entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass)
> to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the
> subject by aci(242): aciname= "SIE Group", acidn="dc=my,dc=domain"
> 
> => SIE Group is one of the default 389 ACIs.
> 
> or
> 
> Whole domain scope:
> 
> dn: dc=my,dc=domain
> changetype: modify
> add: aci
> aci:
> (target="ldap:///OU=pop-ac,ou=pops,dc=my,dc=domain";)(targetattr!="userPassword")
> (version 3.0;acl "All attributes PoP-AC Permissions";allow
> (read,search,compare)
> userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";;)
> 
> 
> Log:
> [06/Sep/2017:16:41:33.824679480 -0300] - DEBUG - NSACLPlugin -
> print_access_control_summary - conn=50 op=1 (main): Deny search on
> entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass)
> to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the
> subject by aci(253): aciname= "All attributes PoP-AC Permissions",
> acidn="dc=my,dc=domain"
> 
> 
> 
> What I need: An user that has no other rights on my tree to read/search all
> attributes/users on an specific OU.
> 
> Is that possible? What am I missing?

So the aci guide is really long: we've been working to improve it lately
to help with common aci questions like this so this is a great place to
start:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control


So the aci you have here:

> dn: OU=pop-ac,ou=pops,dc=my,dc=domain
> changetype: modify
> add: aci
> aci: (targetattr!="userPassword") (version 3.0;acl "All attributes
PoP-AC
> Permissions";allow (read,search,compare)
> userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";;)

Should be the correct one. My guess is the that the aci should be:

(targetattr!="userPassword")(version 3.0;acl "All attributes PoP-AC
Permissions"; allow
(read,search,compare)(userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";);)

The change is the parens around the userdn. 

This should be on the OU=pop-ac,ou=pops,dc=my,dc=domain object.

As well, you may need to start your query basedn at
OU=pop-ac,ou=pops,dc=my,dc=domain rather than dc=my,dc=domain too. 



As a follow up, please don't use targetattr!=userPassword. This exposes
a *lot* of internal system attributes to the user object in question.
It's much better if you limit this to just the attributes required like:

aci: (targetattr="objectClass || nsUniqueId || uid || displayName ||
loginShel
 l || uidNumber || gidNumber || gecos || homeDirectory || givenName ||
cn || m
 emberOf || mail || sshPublicKey || nsAccountLock ||
userCertificate")( target
 ="ldap:///uid=*,ou=People,dc=blackhats,dc=net,dc=au";
)(targetfilter="(&(objec

tClass=account)(objectClass=person)(objectClass=posixaccount))")(version
3.0;
  acl "Enable anonymous partial user read"; allow (read, search,
compare)(user
 dn="ldap:///anyone";);)

Hope that helps a little bit.


> 
> Thanks
> 
> Cheers,
> 
> Alberto Viana
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux