Re: what's wrong with this ACI?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

speedy zinc wrote:
> I've created two user entries under People:
> 
> Test User: uid=testuser
> Jane Doe : uid=JDoe
> 
> Here's what I'm trying to achieve with access control:
> 
> - Turn off anon access to the entry Test User
> - Allow full access to Test User on Test User
> - Allow (read, search, compare) to JDoe on Test User,
> and
> no other users
> - Allow full access to "cn=Directory Manager" on Test 
> User.
> - Anon access is still allowed on other entries
> 
> So, here is the list of ACIs (besides the inherited
> ones)
> that I've created on the entry Test User:
> 
> (targetattr = "*") (version 3.0;acl "self";allow
> (all)(userdn = "ldap:///uid=testuser,ou=People,
> dc=dummy,dc=com");)
> 
> (targetattr != "userPassword") (version 3.0;acl "No
> anonymous access";deny (all)(userdn =
> "ldap:///anyone";);)
> 
> (targetattr = "*") (target =
> "ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
> (version 3.0;acl "Allow JDoe";allow
> (read,compare,search)(userdn =
> "ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
> 
> With the ACIs above, it seems that the "No anonymous
> access"
> is taking precendence over the other two. Even the
> "Test 
> User" does not have access to its own data, and JDoe 
> certainly does not either. The only user who has
> access 
> is the Directory Manager.
> 
> How do I achieve my goals with ACI?
> 

Note that ACIs are logically ORed during evaluation. And "deny"
always takes precedence over "allow". So, your ACI
which [deny(all)(userdn="ldap:///anyone";)] will take precendence
over the other two. Therefore, even Test User is denied reading
his own data.

You can combine the 3 ACIs above into the following:

(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com";)
(version 3.0;acl "Self and JDoe (but no anon to all)";
deny(all)(userdn != "ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
ldap://uid=JDoe,ou=People,dc=dummy,dc=com";);)

This tells the server to deny to all on that specific target except
if userdn is "testuser" or "JDoe" .

Hope that helps.

csp
-- 
Chen Shaopeng
http://www.idsignet.com

Attachment: signature.asc
Description: OpenPGP digital signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux