Re: Limiting access to same ou

[Mark Reynolds <mreynolds@xxxxxxxxxx>]

On 11/27/18 7:24 PM, Alistair Cunningham wrote:
> I've added these acis, but a telephone (with objectClass 'person') in 
> tenant1 can still see people (with objectClass 'inetOrgPerson') in 
> tenant2. Presumably there needs to also be a blanket aci to forbid all 
> telephones from viewing other tenants, that these tenant-specific 
> allow acis then override?

There might be an aci that is allowing anonymous access to basic 
entries.  By default if there are no ACI's then access is completely 
blocked except for Directory Manager.  So some aci is allowing access.  
We need to see all the ACI's you have:

For example, this would list all the aci's under dc=example,dc=com:

# ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=com" aci=* aci

I suspect there is an aci with a userdn that equals "anyone", but we'll 
see...

> On 27/11/2018 10:31, Olivier JUDITH wrote:
> > Hi,
> >
> > Give IT a try. It should work
> > aci: 
> > (target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version 
> > 3.0;acl "aci1";allow (read,search) 
> > userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;)
> > aci: 
> > (target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version 
> > 3.0;acl "aci2";allow (read,search) 
> > userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;)
> >
> > Let me know
> >
> > Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham 
> > <acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>> a écrit :
> >
> >     On 26/11/2018 18:59, Olivier JUDITH wrote:
> >      > Hi,
> >      >
> >      > I'm using the Redhat documentation on this link
> >      >
> > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index
> >
> >     That looks rather complex. It's a real shame that there's no way of
> >     limiting users to the same ou using a regular expression ACL.
> >
> >      > Regards
> >      >
> >      >   lun. 26 nov. 2018 à 05:46, Alistair Cunningham
> >      > <acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>
> >     <mailto:acunningham@xxxxxxxxxxxxx
> >     <mailto:acunningham@xxxxxxxxxxxxx>>> a écrit :
> >      >
> >      >     On 25/11/2018 11:44, Olivier JUDITH wrote:
> >      >      >  From my point of view , the easiest way to solve this is
> >     to set
> >      >     a search filter on the OU corresponding to the tenant on each
> >     phone.
> >      >      > Can you modify the software on the phone ?
> >      >
> >      >     Unfortunately not. The telephone handset firmware is written
> >     by various
> >      >     third parties, and we have no access to it.
> >      >
> >      >     This would also be insecure. Anyone with the username and
> >     password of a
> >      >     telephone and who could use an LDAP client such as LDAP
> >     search could
> >      >     bypass the filter to see all the users in all the tenants 
> > (i.e.
> >      >     every ou).
> >      >
> >      >      > The other way could be by creating  a 389 plugin that 
> > add a
> >      >     filter on the good OU regarding the DN of user which make the
> >     call
> >      >     to the ldap.
> >      >
> >      >     That might be an option. Do you know where I can find
> >     documentation on
> >      >     how to do this?
> >      >
> >      >     --
> >      >     Alistair Cunningham
> >      >     +1 888 468 3111
> >      >     +44 20 799 39 799
> >      > https://enswitch.com/
> >      >
> >      >
> >      > _______________________________________________
> >      > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> >     <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> >      > To unsubscribe send an email to
> >     389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> >     <mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
> >      > Fedora Code of Conduct: 
> > https://getfedora.org/code-of-conduct.html
> >      > List Guidelines:
> >     https://fedoraproject.org/wiki/Mailing_list_guidelines
> >      > List Archives:
> > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> >      >
> >
> >     --     Alistair Cunningham
> >     +1 888 468 3111
> >     +44 20 799 39 799
> >     https://enswitch.com/
> >     _______________________________________________
> >     389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> >     <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
> >     To unsubscribe send an email to
> >     389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> >     <mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx>
> >     Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >     List Guidelines: 
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> >     List Archives:
> > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> >
> >
> > _______________________________________________
> > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx