Thank you, I'll give that a go.
On a related topic, do you know why when I try to add a
simpleSecurityObject, I get a 'attribute "cn" not allowed' error?
$ cat 1234567890.ldif
dn: cn=1234567890,ou=2,dc=integrics,dc=com
objectClass: simpleSecurityObject
userPassword: abcdef
$ ldapadd -x -D "cn=Directory Manager" -w secret -f 1234567890.ldif
adding new entry "cn=1234567890,ou=2,dc=integrics,dc=com"
ldap_add: Object class violation (65)
additional info: attribute "cn" not allowed
I've tried with "uid=1234567890" instead, and it tells me that uid is
not allowed.
On 27/11/2018 10:31, Olivier JUDITH wrote:
Hi,
Give IT a try. It should work
aci:
(target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version
3.0;acl "aci1";allow (read,search)
userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;)
aci:
(target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version
3.0;acl "aci2";allow (read,search)
userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;)
Let me know
Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham
<acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>> a écrit :
On 26/11/2018 18:59, Olivier JUDITH wrote:
> Hi,
>
> I'm using the Redhat documentation on this link
>
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index
That looks rather complex. It's a real shame that there's no way of
limiting users to the same ou using a regular expression ACL.
> Regards
>
> lun. 26 nov. 2018 à 05:46, Alistair Cunningham
> <acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>
<mailto:acunningham@xxxxxxxxxxxxx
<mailto:acunningham@xxxxxxxxxxxxx>>> a écrit :
>
> On 25/11/2018 11:44, Olivier JUDITH wrote:
> > From my point of view , the easiest way to solve this is
to set
> a search filter on the OU corresponding to the tenant on each
phone.
> > Can you modify the software on the phone ?
>
> Unfortunately not. The telephone handset firmware is written
by various
> third parties, and we have no access to it.
>
> This would also be insecure. Anyone with the username and
password of a
> telephone and who could use an LDAP client such as LDAP
search could
> bypass the filter to see all the users in all the tenants (i.e.
> every ou).
>
> > The other way could be by creating a 389 plugin that add a
> filter on the good OU regarding the DN of user which make the
call
> to the ldap.
>
> That might be an option. Do you know where I can find
documentation on
> how to do this?
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> To unsubscribe send an email to
389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
To unsubscribe send an email to
389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
<mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
