Re: Limiting access to same ou

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've added these acis, but a telephone (with objectClass 'person') in tenant1 can still see people (with objectClass 'inetOrgPerson') in tenant2. Presumably there needs to also be a blanket aci to forbid all telephones from viewing other tenants, that these tenant-specific allow acis then override? 

On 27/11/2018 10:31, Olivier JUDITH wrote:

Hi,

Give IT a try. It should work
aci: (target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version 3.0;acl "aci1";allow (read,search) userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;) aci: (target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version 3.0;acl "aci2";allow (read,search) userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;) 

Let me know
Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham <acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>> a écrit : 

    On 26/11/2018 18:59, Olivier JUDITH wrote:
     > Hi,
     >
     > I'm using the Redhat documentation on this link
     >
    https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index

    That looks rather complex. It's a real shame that there's no way of
    limiting users to the same ou using a regular expression ACL.

     > Regards
     >
     >   lun. 26 nov. 2018 à 05:46, Alistair Cunningham
     > <acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>
    <mailto:acunningham@xxxxxxxxxxxxx
    <mailto:acunningham@xxxxxxxxxxxxx>>> a écrit :
     >
     >     On 25/11/2018 11:44, Olivier JUDITH wrote:
     >      >  From my point of view , the easiest way to solve this is
    to set
     >     a search filter on the OU corresponding to the tenant on each
    phone.
     >      > Can you modify the software on the phone ?
     >
     >     Unfortunately not. The telephone handset firmware is written
    by various
     >     third parties, and we have no access to it.
     >
     >     This would also be insecure. Anyone with the username and
    password of a
     >     telephone and who could use an LDAP client such as LDAP
    search could
     >     bypass the filter to see all the users in all the tenants (i.e.
     >     every ou).
     >
     >      > The other way could be by creating  a 389 plugin that add a
     >     filter on the good OU regarding the DN of user which make the
    call
     >     to the ldap.
     >
     >     That might be an option. Do you know where I can find
    documentation on
     >     how to do this?
     >
     >     --
     >     Alistair Cunningham
     >     +1 888 468 3111
     >     +44 20 799 39 799
     > https://enswitch.com/
     >
     >
     > _______________________________________________
     > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
     > To unsubscribe send an email to
    389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
     > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
     > List Guidelines:
    https://fedoraproject.org/wiki/Mailing_list_guidelines
     > List Archives:
    https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
     >
-- Alistair Cunningham 
    +1 888 468 3111
    +44 20 799 39 799
    https://enswitch.com/
    _______________________________________________
    389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
    To unsubscribe send an email to
    389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
    <mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
    Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives:
    https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx



--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux