On 11/27/18 8:15 PM, Alistair Cunningham wrote:
On 28/11/2018 12:08, Mark Reynolds wrote:
On 11/27/18 7:24 PM, Alistair Cunningham wrote:
I've added these acis, but a telephone (with objectClass 'person')
in tenant1 can still see people (with objectClass 'inetOrgPerson')
in tenant2. Presumably there needs to also be a blanket aci to
forbid all telephones from viewing other tenants, that these
tenant-specific allow acis then override?
There might be an aci that is allowing anonymous access to basic
entries. By default if there are no ACI's then access is completely
blocked except for Directory Manager. So some aci is allowing
access. We need to see all the ACI's you have:
For example, this would list all the aci's under dc=example,dc=com:
# ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=com"
aci=* aci
I suspect there is an aci with a userdn that equals "anyone", but
we'll see...
There is indeed. Shall I delete it?
aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable
anonymous ac
cess"; allow (read, search, compare) userdn="ldap:///anyone";;)
That depends. Do you have any clients that expect to have anonymous
access to entries? Removing this aci will block everyone from access to
the database - then you need to add aci's to open up access to the
users/groups of your choosing.
So to accomplish what you want in this email then yes delete it, but it
could break clients that be expecting anonymous access to be allowed.
So be careful :-)
$ ldapsearch -x -D "cn=Directory Manager" -w secret -b
"dc=integrics,dc=com" "aci=*" aci
# extended LDIF
#
# LDAPv3
# base <dc=integrics,dc=com> with scope subtree
# filter: aci=*
# requesting: aci
#
# integrics.com
dn: dc=integrics,dc=com
aci: (targetattr!="userPassword || aci")(version 3.0; acl "Enable
anonymous ac
cess"; allow (read, search, compare) userdn="ldap:///anyone";;)
aci: (targetattr="carLicense || description || displayName ||
facsimileTelepho
neNumber || homePhone || homePostalAddress || initials || jpegPhoto
|| labele
dURI || mail || mobile || pager || photo || postOfficeBox ||
postalAddress ||
postalCode || preferredDeliveryMethod || preferredLanguage ||
registeredAddr
ess || roomNumber || secretary || seeAlso || st || street ||
telephoneNumber
|| telexNumber || title || userCertificate || userPassword ||
userSMIMECertif
icate || x500UniqueIdentifier")(version 3.0; acl "Enable self write
for commo
n attributes"; allow (write) userdn="ldap:///self";;)
aci: (targetattr ="*")(version 3.0;acl "Directory Administrators
Group";allow
(all) (groupdn = "ldap:///cn=Directory Administrators,
dc=integrics,dc=com");
)
# 2, integrics.com
dn: ou=2,dc=integrics,dc=com
aci: (target="ldap:///ou=2,dc=integrics,dc=com";)(targetattr=*)(version
3.0;acl
"aci2";allow (read,search)
userdn="ldap:///uid=*,ou=2,dc=integrics,dc=com";;)
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
