>>> >>>>>> I'm not an English native speaker, so please forgive me if there's >>>>>> mistakes in this e-mail. >>>>>> >>>>>> OS : Fedora 30 >>>>>> 389ds version / build number : 1.4.1.14 / 2020.023.2226 >>>>>> >>>>>> I'm struggling with ACI and despite hours of documentation reading, I >>>>>> don't understand how to make it work as I want. >>>>>> >>>>>> Basic directory structure >>>>>> ================== >>>>>> dc=domain,dc=tld >>>>>> | >>>>>> +---ou=Servers >>>>>> | >>>>>> +---cn=proxy <---- here is where I add the ACI >>>>>> | >>>>>> +---cn=group1 >>>>>> | >>>>>> +---cn=group2 >>>>>> =================== >>>>>> Container "proxy" is a "iphost" object. >>>>>> >> Sorry for the messy email. I rewrote it a few times: This should be clearer. >> >> A way to achieve this is with the memberOf plugin. >> >> You enable memberOf plugin on your system. This means that members Of cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld would have that set into their account such as: >> >> dn: uid=william,ou=people,dc=domain,dc=tld >> ... >> memberOf: cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld >> >> >> Then you can use: >> >> >> (targetattr = "*") (target = >> "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld";) (version 3.0;acl >> "Allow only groups members to query this object";allow (all) >> (userdn = "ldap:///ou=People,dc=domain,dc=tld??sub??(memberOf=cn=*,cn=proxy,ou=Servers,dc=domain,dc=tld)") >> ;) >> >> >> I haven't tried this my self, but it should work. You'll need to make sure there is a substring index on memberOf. > > it might work, but enabling memberof, and especially substring index for it, could be very costly. > > If the groupdn with the ldap url with filter doesn't work, I think listing all the groups would be the most efficient method, at the cost that maintining the aci becomes a more challenging task. > > I think acis with groupdn do handle nested groups, so to keep theaci simple, one could create a group, containing all the groups, eg: > > cn=acigroup, cn=proxy1, .. > > member: cn=g1, cn=proxy1,... > > member: cn=g2, cn=proxy1,.. > > -------- > > aci: ............ (groupdn=cn=acigroup, cn=proxy1,...) This suggestion from Ludwig sounds like the best one so far :) — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
