Bjorn Oglefjorn
2007-Mar-30 16:57 UTC
[Fedora-directory-users] Complicated ACI Definitions
Or maybe it''s not so complicated and I don''t know how. ;) This is what I''m trying to accomplish: Users who are a member of the group ''cn=support'' can perform ALL operations on ''userPassword'', except on targets which are a member of group ''cn=admins'' or ''cn=bosses''. Is this possible? I can''t figure out how. Thanks in advance! --BO
Bjorn Oglefjorn
2007-Apr-02 16:09 UTC
[Fedora-directory-users] Re: Complicated ACI Definitions
Here''s what I''m starting with: (targetattr = "userPassword" ) (target = "ldap:///dc=example,dc=com") (version 3.0; acl "Support can change passwords"; allow (all) (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) I just can''t figure out how to write the exception. --BO On 3/30/07, Bjorn Oglefjorn <sys.mailing@gmail.com> wrote:> > Or maybe it''s not so complicated and I don''t know how. ;) > > This is what I''m trying to accomplish: > > Users who are a member of the group ''cn=support'' > can perform ALL operations on ''userPassword'', > except on targets which are a member of group ''cn=admins'' or ''cn=bosses''. > > > Is this possible? I can''t figure out how. Thanks in advance! > --BO >
Richard Megginson
2007-Apr-02 16:17 UTC
Re: [Fedora-directory-users] Re: Complicated ACI Definitions
Bjorn Oglefjorn wrote:> Here''s what I''m starting with: > > (targetattr = "userPassword" ) > (target = "ldap:///dc=example,dc=com") > (version 3.0; > acl "Support can change passwords"; > allow (all) > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > I just can''t figure out how to write the exception.You can add a separate deny aci - deny takes precedence over allow.> --BO > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing@gmail.com > <mailto:sys.mailing@gmail.com>> wrote: > > Or maybe it''s not so complicated and I don''t know how. ;) > > This is what I''m trying to accomplish: > > Users who are a member of the group ''cn=support'' > can perform ALL operations on ''userPassword'', > except on targets which are a member of group ''cn=admins'' or > ''cn=bosses''. > > Is this possible? I can''t figure out how. Thanks in advance! > --BO > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Bjorn Oglefjorn
2007-Apr-02 16:26 UTC
Re: [Fedora-directory-users] Re: Complicated ACI Definitions
Thanks for the response Richard. This helps some, but how do I target the _members_ of, say ''cn=admins,ou=groups,dc=example,dc=com''? Thanks again, --BO On 4/2/07, Richard Megginson <rmeggins@redhat.com> wrote:> > Bjorn Oglefjorn wrote: > > Here''s what I''m starting with: > > > > (targetattr = "userPassword" ) > > (target = "ldap:///dc=example,dc=com") > > (version 3.0; > > acl "Support can change passwords"; > > allow (all) > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > I just can''t figure out how to write the exception. > You can add a separate deny aci - deny takes precedence over allow. > > --BO > > > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing@gmail.com > > <mailto:sys.mailing@gmail.com>> wrote: > > > > Or maybe it''s not so complicated and I don''t know how. ;) > > > > This is what I''m trying to accomplish: > > > > Users who are a member of the group ''cn=support'' > > can perform ALL operations on ''userPassword'', > > except on targets which are a member of group ''cn=admins'' or > > ''cn=bosses''. > > > > Is this possible? I can''t figure out how. Thanks in advance! > > --BO > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >
Richard Megginson
2007-Apr-02 17:14 UTC
Re: [Fedora-directory-users] Re: Complicated ACI Definitions
Bjorn Oglefjorn wrote:> Thanks for the response Richard. This helps some, but how do I target > the _members_ of, say ''cn=admins,ou=groups,dc=example,dc=com''?Hmm - not sure. I don''t think this is possible. It doesn''t appear that groupdn is supported in a target clause. If all of the entries could be identified by a search filter, you could use a (targetfilter=...) If you use Roles instead of groups, you could use targetfilter=(nsRole=dn_of_role_definition)).> > Thanks again, > --BO > > On 4/2/07, * Richard Megginson* <rmeggins@redhat.com > <mailto:rmeggins@redhat.com>> wrote: > > Bjorn Oglefjorn wrote: > > Here''s what I''m starting with: > > > > (targetattr = "userPassword" ) > > (target = "ldap:///dc=example,dc=com") > > (version 3.0; > > acl "Support can change passwords"; > > allow (all) > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > I just can''t figure out how to write the exception. > You can add a separate deny aci - deny takes precedence over allow. > > --BO > > > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing@gmail.com > <mailto:sys.mailing@gmail.com> > > <mailto:sys.mailing@gmail.com <mailto:sys.mailing@gmail.com>>> > wrote: > > > > Or maybe it''s not so complicated and I don''t know how. ;) > > > > This is what I''m trying to accomplish: > > > > Users who are a member of the group ''cn=support'' > > can perform ALL operations on ''userPassword'', > > except on targets which are a member of group ''cn=admins'' or > > ''cn=bosses''. > > > > Is this possible? I can''t figure out how. Thanks in advance! > > --BO > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Bjorn Oglefjorn
2007-Apr-02 18:26 UTC
Re: [Fedora-directory-users] Re: Complicated ACI Definitions
That''s a shame. Thanks for the push in the right direction though. --BO On 4/2/07, Richard Megginson <rmeggins@redhat.com> wrote:> > Bjorn Oglefjorn wrote: > > Thanks for the response Richard. This helps some, but how do I target > > the _members_ of, say ''cn=admins,ou=groups,dc=example,dc=com''? > Hmm - not sure. I don''t think this is possible. It doesn''t appear that > groupdn is supported in a target clause. If all of the entries could be > identified by a search filter, you could use a (targetfilter=...) If > you use Roles instead of groups, you could use > targetfilter=(nsRole=dn_of_role_definition)). > > > > Thanks again, > > --BO > > > > On 4/2/07, * Richard Megginson* <rmeggins@redhat.com > > <mailto:rmeggins@redhat.com>> wrote: > > > > Bjorn Oglefjorn wrote: > > > Here''s what I''m starting with: > > > > > > (targetattr = "userPassword" ) > > > (target = "ldap:///dc=example,dc=com") > > > (version 3.0; > > > acl "Support can change passwords"; > > > allow (all) > > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > > > I just can''t figure out how to write the exception. > > You can add a separate deny aci - deny takes precedence over allow. > > > --BO > > > > > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing@gmail.com > > <mailto:sys.mailing@gmail.com> > > > <mailto:sys.mailing@gmail.com <mailto:sys.mailing@gmail.com>>> > > wrote: > > > > > > Or maybe it''s not so complicated and I don''t know how. ;) > > > > > > This is what I''m trying to accomplish: > > > > > > Users who are a member of the group ''cn=support'' > > > can perform ALL operations on ''userPassword'', > > > except on targets which are a member of group ''cn=admins'' or > > > ''cn=bosses''. > > > > > > Is this possible? I can''t figure out how. Thanks in advance! > > > --BO > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > <mailto:Fedora-directory-users@redhat.com> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >