Re: ACI help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 09/07/2017 02:25 AM, William Brown wrote:
On Wed, 2017-09-06 at 16:55 -0300, Alberto Viana wrote:

Hi Folks,

389-Directory/1.3.7.3.20170901gite67788a B2017.244.1727

I'm trying to give a specific read/search/compare permissions to an user in
a sub OU in my tree.

I deleted the default ACI "anonymous access" (For tests purposes)

I'm tried the following ACIs:

OU scope:

dn: OU=pop-ac,ou=pops,dc=my,dc=domain
changetype: modify
add: aci
aci: (targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC
Permissions";allow (read,search,compare)
userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";)

Log:
06/Sep/2017:16:15:32.427750186 -0300] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=47 op=1 (main): Deny search on
entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass)
to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the
subject by aci(242): aciname= "SIE Group", acidn="dc=my,dc=domain"

=> SIE Group is one of the default 389 ACIs.

or

Whole domain scope:

dn: dc=my,dc=domain
changetype: modify
add: aci
aci:
(target="ldap:///OU=pop-ac,ou=pops,dc=my,dc=domain")(targetattr!="userPassword")
(version 3.0;acl "All attributes PoP-AC Permissions";allow
(read,search,compare)
userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";)


Log:
[06/Sep/2017:16:41:33.824679480 -0300] - DEBUG - NSACLPlugin -
print_access_control_summary - conn=50 op=1 (main): Deny search on
entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass)
to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the
subject by aci(253): aciname= "All attributes PoP-AC Permissions",
acidn="dc=my,dc=domain"



What I need: An user that has no other rights on my tree to read/search all
attributes/users on an specific OU.

Is that possible? What am I missing?

So the aci guide is really long: we've been working to improve it lately
to help with common aci questions like this so this is a great place to
start:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control


So the aci you have here:


dn: OU=pop-ac,ou=pops,dc=my,dc=domain
changetype: modify
add: aci
aci: (targetattr!="userPassword") (version 3.0;acl "All attributes

PoP-AC

Permissions";allow (read,search,compare)
userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";)

Should be the correct one.
it is, and it works for me. The ( ) around the bind rule are not required.

So I just have a wild guess. I think you anonymized the aci for this post using "test-user" and "dc=my,dc=domain". could you verify that you haven't a typo in the real aci for the userdn ?
My guess is the that the aci should be:

(targetattr!="userPassword")(version 3.0;acl "All attributes PoP-AC
Permissions"; allow
(read,search,compare)(userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain");)

The change is the parens around the userdn. 

This should be on the OU=pop-ac,ou=pops,dc=my,dc=domain object.

As well, you may need to start your query basedn at
OU=pop-ac,ou=pops,dc=my,dc=domain rather than dc=my,dc=domain too. 



As a follow up, please don't use targetattr!=userPassword. This exposes
a *lot* of internal system attributes to the user object in question.
It's much better if you limit this to just the attributes required like:

aci: (targetattr="objectClass || nsUniqueId || uid || displayName ||
loginShel
 l || uidNumber || gidNumber || gecos || homeDirectory || givenName ||
cn || m
 emberOf || mail || sshPublicKey || nsAccountLock ||
userCertificate")( target
 ="ldap:///uid=*,ou=People,dc=blackhats,dc=net,dc=au"
)(targetfilter="(&(objec

tClass=account)(objectClass=person)(objectClass=posixaccount))")(version
3.0;
  acl "Enable anonymous partial user read"; allow (read, search,
compare)(user
 dn="ldap:///anyone");)

Hope that helps a little bit.



Thanks

Cheers,

Alberto Viana
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


      

      

      

      
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


    

    

    
-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

  


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx






















[Index of Archives]
 
 
[Fedora User Discussion]
 
 
[Older Fedora Users]
 
 
[Fedora Announce]
 
 
[Fedora Package Announce]
 
 
[EPEL Announce]
 
 
[Fedora News]
 
 
[Fedora Cloud]
 
 
[Fedora Advisory Board]
 
 
[Fedora Education]
 
 
[Fedora Security]
 
 
[Fedora Scitech]
 
 
[Fedora Robotics]
 
 
[Fedora Maintainers]
 
 
[Fedora Infrastructure]
 
 
[Fedora Websites]
 
 
[Anaconda Devel]
 
 
[Fedora Devel Java]
 
 
[Fedora Legacy]
 
 
[Fedora Desktop]
 
 
[Fedora Fonts]
 
 
[ATA RAID]
 
 
[Fedora Marketing]
 
 
[Fedora Management Tools]
 
 
[Fedora Mentors]
 
 
[Fedora Package Review]
 
 
[Fedora R Devel]
 
 
[Fedora PHP Devel]
 
 
[Kickstart]
 
 
[Fedora Music]
 
 
[Fedora Packaging]
 
 
[Centos]
 
 
[Fedora SELinux]
 
 
[Fedora Legal]
 
 
[Fedora Kernel]
 
 
[Fedora QA]
 
 
[Fedora Triage]
 
 
[Fedora OCaml]
 
 
[Coolkey]
 
 
[Virtualization Tools]
 
 
[ET Management Tools]
 
 
[Yum Users]
 
 
[Tux]
 
 
[Yosemite News]
 
 
[Yosemite Photos]
 
 
[Linux Apps]
 
 
[Maemo Users]
 
 
[Gnome Users]
 
 
[KDE Users]
 
 
[Fedora Tools]
 
 
[Fedora Art]
 
 
[Fedora Docs]
 
 
[Maemo Users]
 
 
[Asterisk PBX]
 
 
[Fedora Sparc]
 
 
[Fedora Universal Network Connector]
 
 
[Fedora ARM]


















 
Powered by Linux