I''ve created two user entries under People: Test User: uid=testuser Jane Doe : uid=JDoe Here''s what I''m trying to achieve with access control: - Turn off anon access to the entry Test User - Allow full access to Test User on Test User - Allow (read, search, compare) to JDoe on Test User, and no other users - Allow full access to "cn=Directory Manager" on Test User. - Anon access is still allowed on other entries So, here is the list of ACIs (besides the inherited ones) that I''ve created on the entry Test User: (targetattr = "*") (version 3.0;acl "self";allow (all)(userdn = "ldap:///uid=testuser,ou=People, dc=dummy,dc=com");) (targetattr != "userPassword") (version 3.0;acl "No anonymous access";deny (all)(userdn "ldap:///anyone");) (targetattr = "*") (target "ldap:///uid=testuser,ou=People, dc=dummy,dc=com") (version 3.0;acl "Allow JDoe";allow (read,compare,search)(userdn "ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");) With the ACIs above, it seems that the "No anonymous access" is taking precendence over the other two. Even the "Test User" does not have access to its own data, and JDoe certainly does not either. The only user who has access is the Directory Manager. How do I achieve my goals with ACI? thanks a lot. sz. __________________________________ Yahoo! Mail - PC Magazine Editors'' Choice 2005 http://mail.yahoo.com
Chen Shaopeng
2005-Nov-04 09:10 UTC
Re: [Fedora-directory-users] what''s wrong with this ACI?
speedy zinc wrote:> I''ve created two user entries under People: > > Test User: uid=testuser > Jane Doe : uid=JDoe > > Here''s what I''m trying to achieve with access control: > > - Turn off anon access to the entry Test User > - Allow full access to Test User on Test User > - Allow (read, search, compare) to JDoe on Test User, > and > no other users > - Allow full access to "cn=Directory Manager" on Test > User. > - Anon access is still allowed on other entries > > So, here is the list of ACIs (besides the inherited > ones) > that I''ve created on the entry Test User: > > (targetattr = "*") (version 3.0;acl "self";allow > (all)(userdn = "ldap:///uid=testuser,ou=People, > dc=dummy,dc=com");) > > (targetattr != "userPassword") (version 3.0;acl "No > anonymous access";deny (all)(userdn > "ldap:///anyone");) > > (targetattr = "*") (target > "ldap:///uid=testuser,ou=People, dc=dummy,dc=com") > (version 3.0;acl "Allow JDoe";allow > (read,compare,search)(userdn > "ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");) > > With the ACIs above, it seems that the "No anonymous > access" > is taking precendence over the other two. Even the > "Test > User" does not have access to its own data, and JDoe > certainly does not either. The only user who has > access > is the Directory Manager. > > How do I achieve my goals with ACI? >Note that ACIs are logically ORed during evaluation. And "deny" always takes precedence over "allow". So, your ACI which [deny(all)(userdn="ldap:///anyone")] will take precendence over the other two. Therefore, even Test User is denied reading his own data. You can combine the 3 ACIs above into the following: (targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com") (version 3.0;acl "Self and JDoe (but no anon to all)"; deny(all)(userdn != "ldap:///uid=testuser,ou=People,dc=dummy,dc=com || ldap://uid=JDoe,ou=People,dc=dummy,dc=com");) This tells the server to deny to all on that specific target except if userdn is "testuser" or "JDoe" . Hope that helps. csp -- Chen Shaopeng http://www.idsignet.com
Rich Megginson
2005-Nov-04 15:25 UTC
Re: [Fedora-directory-users] what''s wrong with this ACI?
Another thing to remember about ACIs is that everything is denied by default. The only things that are allowed are those things which you explicitly allow. So you don''t usually have to create deny rules. speedy zinc wrote:>I''ve created two user entries under People: > >Test User: uid=testuser >Jane Doe : uid=JDoe > >Here''s what I''m trying to achieve with access control: > >- Turn off anon access to the entry Test User >- Allow full access to Test User on Test User >- Allow (read, search, compare) to JDoe on Test User, >and >no other users >- Allow full access to "cn=Directory Manager" on Test >User. >- Anon access is still allowed on other entries > >So, here is the list of ACIs (besides the inherited >ones) >that I''ve created on the entry Test User: > >(targetattr = "*") (version 3.0;acl "self";allow >(all)(userdn = "ldap:///uid=testuser,ou=People, >dc=dummy,dc=com");) > >(targetattr != "userPassword") (version 3.0;acl "No >anonymous access";deny (all)(userdn >"ldap:///anyone");) > >(targetattr = "*") (target >"ldap:///uid=testuser,ou=People, dc=dummy,dc=com") >(version 3.0;acl "Allow JDoe";allow >(read,compare,search)(userdn >"ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");) > >With the ACIs above, it seems that the "No anonymous >access" >is taking precendence over the other two. Even the >"Test >User" does not have access to its own data, and JDoe >certainly does not either. The only user who has >access >is the Directory Manager. > >How do I achieve my goals with ACI? > >thanks a lot. > >sz. > > > > > >__________________________________ >Yahoo! Mail - PC Magazine Editors'' Choice 2005 >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
speedy zinc
2005-Nov-04 16:47 UTC
Re: [Fedora-directory-users] what''s wrong with this ACI?
--- Chen Shaopeng <chen_shaopeng@idsignet.com> wrote:> > Note that ACIs are logically ORed during evaluation. > And "deny" > always takes precedence over "allow". So, your ACI > which [deny(all)(userdn="ldap:///anyone")] will take > precendence > over the other two. Therefore, even Test User is > denied reading > his own data. > > You can combine the 3 ACIs above into the following: > >(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com")> (version 3.0;acl "Self and JDoe (but no anon to > all)"; > deny(all)(userdn !> "ldap:///uid=testuser,ou=People,dc=dummy,dc=com || > ldap://uid=JDoe,ou=People,dc=dummy,dc=com");) > > This tells the server to deny to all on that > specific target except > if userdn is "testuser" or "JDoe" . > > Hope that helps. >Thanks a lot, Chen! Exactly what I want :) sz __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com