Re: A bit help about ACI?

Mark Reynolds <mreynolds@xxxxxxxxxx> · Fri, 23 Aug 2019 11:48:57 -0400



    On 8/23/19 11:34 AM, Mark Reynolds
      wrote:

    
      Moving to the correct list (389-users)...

      
      On 8/23/19 9:05 AM, Miljan Žugić
        wrote:

      
          I apologize in advance if this is wrong
            address  😊
          I build up 2 389 DS server, make
            replication and up till now, all looks fine. 
          But I have some issue about ACI. Where I
            can find good forum or site to get some real examples of ACI
            ? 
           
          Or if you can help me…I want something
            like this, to make “anonymous” can do read, search and
            compare for levels B and D, but deny to A and E (actually I
            have problem with level E, I can do deny to anyone to level
            E or deeper, but I need some specific accounts to access
            level E or deeper, so…I stuck how to do that) :
        
      
    First you should really read the access control docs:
    https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control
    In order to do what you want you need two kinds of aci, allow and
      deny.  You need deny rules because when you set an aci on a
      subtree it applies to all its children.  So as you noted you can
      deny level E, but it denies everyone even if they previously had
      access.  So you need to add new aci's on level E that open up
      access to the users/groups you want to have access.  So you might
      end up with "duplicate" aci's at different levels in your tree.

    
    So on level B you have your anonymous access aci's - this will
      apply to all lower branches.  On Level E must have a deny
      "anonymous/anyone" rule, and then you add new acis to level E that
      open it back up for those you want to have access.
    HTH,
    Mark

    
          Anyhow, BR 
              😃
           
           
          Miljan Žugić
          Sistemski inženjer   |  Systems engineer 
          Sistemska podrška  |  Corporate IT 
           
          T   +381 11 3306514
          M +381 62 250 523
          E   Miljan.Zugic@xxxxxxxxx
           
           
          Halcom a.d.
          Beogradska 39   |   11000 Beograd   |   Srbija
           
          www.halcom.rs
           
           
      -- 

389 Directory Server Development Team
      

      _______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

    
    -- 

389 Directory Server Development Team
  

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx