|
On 02/24/2014 02:47 PM, Noriko Hosoi
wrote:
Rich Megginson wrote:
On 02/24/2014 09:00 AM, thierry
bordaz wrote:
Hello,
IPA
team filled this ticket https://fedorahosted.org/389/ticket/47553.
It requires an ACI improvement so that during a MODDN a
given user is only allowed to move an entry from one
specified part of the DIT to an other specified part of
the DIT. This without the need to grant the ADD
permission.
Here is the design of what could be implemented to support
this need http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation
regards
thierry
Since this not related to any Red Hat internal or customer
information, we should move this discussion to the 389-devel
list.
Hi Thierry,
Your design looks good. A minor question. The doc does not
mention about "deny". For instance, in your example DIT, can I
allow "moddn_to" and "moddn_from" on the top "dc=example,dc=com"
and deny them on "cn=tests". Then, I can move an entry between
cn=accounts and staging, but not to/from cn=tests? Or "deny" is
not supposed to use there?
In which entry do you set these ACIs?
Do you set
aci: (target="ldap:///cn=staging,dc=example,dc=com")(version 3.0;
acl "MODDN from"; allow (moddn_from))
userdn="ldap:///uid=admin_accounts,dc=example,dc=com" ;)
in the cn=accounts,dc=example,dc=com entry?
Do you set
aci: (target="ldap:///cn=accounts,dc=example,dc=com")(version 3.0;
acl "MODDN to"; allow (moddn_to))
userdn="ldap:///uid=admin_accounts,dc=example,dc=com" ;)
in the cn=staging,dc=example,dc=com entry?
Thanks,
--noriko
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
|
--
389-devel mailing list
389-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-devel
