a question: we have a requirement where only users that have a role are able to see role membership. so if i have role A, i can see the membership for role A (search on nsRole=<roleA>) but cannot necessarily see role B members, etc. the same restriction applies when pulling the nsRole attribute. is there any way (via aci) to support this? i''ve implemented a plugin (actually 2 - a computed attribute and preop) that supports this but wanted to make sure that i wasn''t missing something in aci setup that would accomplish the same thing. Thanks, Gary
Rich Megginson
2005-Jun-14 21:56 UTC
Re: [Fedora-directory-users] roles and access control
Gary Mann wrote:> > a question: we have a requirement where only users that have a role > are able to see role membership. so if i have role A, i can see the > membership for role A (search on nsRole=<roleA>) but cannot > necessarily see role B members, etc. the same restriction applies > when pulling the nsRole attribute. > > is there any way (via aci) to support this? i''ve implemented a plugin > (actually 2 - a computed attribute and preop) that supports this but > wanted to make sure that i wasn''t missing something in aci setup that > would accomplish the same thing.Perhaps by using a targetfilter? e.g. assuming the role definition entry is cn=MyRole,ou=people,dc=example,dc=com dn: ou=people,dc=example,dc=com ... aci: (targetattr="uid || cn")(targetfilter="(nsRole=cn=MyRole,ou=people,dc=example,dc=com)")(version 3.0; acl "Allow people to see other role members"; allow (read, search, compare) roledn = "ldap:///cn=MyRole,ou=people,dc=example,dc=com";) This allows people who are a member of MyRole to see the attributes uid and cn in any entry under ou=people which matches nsRole=cn=myRole,.... (i.e. any entry which belongs to that role). I haven''t tried it out but this or something like this should work. See here for more info http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997355> > Thanks, > Gary > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
A combination of a value based aci targeting nsroledn: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997653 And value matching access: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997653 Gets you there. There are probably other ways to do this too. Using Macro aci''s will cut down on the aci admin for this http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#1195760> -----Original Message----- > From: fedora-directory-users-bounces@redhat.com > [mailto:fedora-directory-users-bounces@redhat.com] On Behalf > Of Gary Mann > Sent: Tuesday, June 14, 2005 2:13 PM > To: fedora-directory-users@redhat.com > Subject: [Fedora-directory-users] roles and access control > > > a question: we have a requirement where only users that have > a role are able to see role membership. so if i have role A, > i can see the membership for role A (search on > nsRole=<roleA>) but cannot necessarily see role B members, > etc. the same restriction applies when pulling the nsRole attribute. > > is there any way (via aci) to support this? i''ve implemented > a plugin (actually 2 - a computed attribute and preop) that > supports this but wanted to make sure that i wasn''t missing > something in aci setup that would accomplish the same thing. > > Thanks, > Gary > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
> -----Original Message----- > From: fedora-directory-users-bounces@redhat.com > [mailto:fedora-directory-users-bounces@redhat.com] On Behalf > Of Pete Rowley > Sent: Tuesday, June 14, 2005 3:03 PM > To: ''General discussion list for the Fedora Directory server project.'' > Subject: RE: [Fedora-directory-users] roles and access control > > A combination of a value based aci targeting nsroledn:That should be nsrole - _never_ use nsroledn for anything other than adding and removing roles from an entry.