> On 24 Aug 2019, at 01:48, Mark Reynolds <mreynolds@xxxxxxxxxx> wrote: > > > On 8/23/19 11:34 AM, Mark Reynolds wrote: >> Moving to the correct list (389-users)... >> >> On 8/23/19 9:05 AM, Miljan Žugić wrote: >>> I apologize in advance if this is wrong address 😊 >>> I build up 2 389 DS server, make replication and up till now, all looks fine. >>> But I have some issue about ACI. Where I can find good forum or site to get some real examples of ACI ? >>> >>> Or if you can help me…I want something like this, to make “anonymous” can do read, search and compare for levels B and D, but deny to A and E (actually I have problem with level E, I can do deny to anyone to level E or deeper, but I need some specific accounts to access level E or deeper, so…I stuck how to do that) : > First you should really read the access control docs: > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control > > In order to do what you want you need two kinds of aci, allow and deny. You need deny rules because when you set an aci on a subtree it applies to all its children. So as you noted you can deny level E, but it denies everyone even if they previously had access. So you need to add new aci's on level E that open up access to the users/groups you want to have access. So you might end up with "duplicate" aci's at different levels in your tree. > > So on level B you have your anonymous access aci's - this will apply to all lower branches. On Level E must have a deny "anonymous/anyone" rule, and then you add new acis to level E that open it back up for those you want to have access. Another way to tackle this is a costemplate that adds a security label to the "onelevels" you want accessible, then have an allow anonymous rule to filter on the security label that is added. Of course, you need to ensure people can't write that label type ... Deny rules always make aci's messy - they really do make it confusing to audit and "see" what's going on. So I think here, you should probably reconsider your tree layout and if it's the correct structure, or consider using onelevel rules or labeling with filters instead, to keep it to "allow only" rules. > > HTH, > > Mark > > > >>> >>> <image003.png> >>> >>> Anyhow, BR 😃 >>> >>> >>> Miljan Žugić >>> Sistemski inženjer | Systems engineer >>> Sistemska podrška | Corporate IT >>> >>> T +381 11 3306514 >>> M +381 62 250 523 >>> E Miljan.Zugic@xxxxxxxxx >>> >>> >>> >>> >>> >>> Halcom a.d. >>> Beogradska 39 | 11000 Beograd | Srbija >>> >>> www.halcom.rs >>> >>> >> -- >> >> 389 Directory Server Development Team >> >> >> >> _______________________________________________ >> 389-users mailing list -- >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> >> To unsubscribe send an email to >> 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx >> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx > -- > > 389 Directory Server Development Team > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx