Thanks for your response Jeff.<br><br>I tried with your suggestion and did the following to my LDIF file. I use the ldapmodify command and logged in as "cn=Directory Manager" to perform these add operations.<br>
dn: ou=serviceaccounts,dc=test,dc=example,dc=com<br>changetype: add<br>objectclass: top<br>objectclass: organizationalunit<br>aci: <br> (targetattr = "*")<br> (version 3.0;<br> acl "general user access";
<br> allow (all)<br> (userdn="ldap:///self")<br> ;)<br><br>dn: cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com<br>changetype: add<br>objectclass: top<br>objectclass: person<br>sn: user1<br>userPassword: testing123
<br>description: This is a test<br><br>Now when I use the ldapmodify and logged in as "cn=user1", to perform the below operation, it failed and gave me an insufficient access (50) error. Any idea? I think I'm stuck again. :-(
<br>dn: cn=testing123,cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com<br>changetype: add<br>objectclass: top<br>objectclass: room<br><br>Thanks<br><br>David<br><br><div class="gmail_quote">On Dec 10, 2007 3:44 PM, Clowser, Jeff (Contractor) <
<a href="mailto:jeff_clowser@fanniemae.com">jeff_clowser@fanniemae.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">
> I think you cleared everything for me. I did misunderstood the<br>concept of "ldap:///self", and<br>> I agree with you that deny rules should be avoided.<br>><br>>ldap:///self refers to the owner of the entry which is the creator of
<br>the entry. Am I correct on this?<br><br></div>No. ldap:///self means the aci applies to the entry you bind to the<br>server as. For example, if you create a rule on ou=serviceaccounts that<br>says ldap:///self can change the attribute "userpassword", any user
<br>under ou=serviceaccounts can change their own password (i.e. if I bind<br>as uid=user1,ou=serviceaccounts, I can write to the userpassword<br>attribute of user1, and no one elses. If I bind as user2, I can write<br>to user2's userpassword attribute, but no one elses). Creator of the
<br>entry has nothing to do with it. Technically, "owner" is yet something<br>else (if an entry has an owner attribute, that typically will contain<br>dn's of "owners" of the entry that can manipulate it in some way, but
<br>that's not automatic - you'd have to create aci's to define that owner<br>relationship. LDAP does not otherwise/by default have "owners" of<br>entries - Creator != Owner).<br><div class="Ih2E3d">
<br><br>> After I specified the userdn as<br>cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com in my ACI,<br>> everything is now working as expected. user1 doesn't have the ability<br>to write/add/replace the entry.
<br>><br>>Below is my new LDIF<br>>dn: ou=serviceaccounts,dc=test,dc=example,dc=com<br>> changetype: add<br>> objectclass: top<br>> objectclass: organizationalunit<br>><br>>dn: cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com
<br>> changetype: add<br>> objectclass: top<br>> objectclass: person<br>> sn: user1<br>> userPassword: testing123<br>> description: This is a test<br>> aci:<br>> (targetattr = "*")<br>> (version
3.0;<br>> acl "user1";<br>> allow (read, search, compare)<br>><br>(userdn="ldap:///cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com<br>> ");)<br><br><br></div>By doing it this way, you are allowing user1 to see it's own account,
<br>and nothing more - this aci does not allow other users to see user1, and<br>does not allow user1 to see other users. Not unreasonable in and of<br>itself, but if you create many users where you want identical behavior,
<br>it's very inefficient - you'll have way to many aci's in the directory<br>and maintenance is more difficult.<br><br>If you want all users to have these same rights, a better way is to put<br>an aci like the following on the ou=serviceaccounts entry (and leave the
<br>aci off the user):<br><div class="Ih2E3d"><br> aci:<br> (targetattr = "*")<br> (version 3.0;<br></div> acl "user access";<br> allow (read, search, compare)<br> (userdn="ldap:///self<br> ");)
<br><br>This will allow any user under that branch of the tree that binds to the<br>directory to read/search/compare their own entry, in it's entirety,<br>without granting them access to anything else, nor granting any other
<br>user to see their entry. (I'd still recommend that you restrict the<br>attribute list further, at least to targetattr!="userpassword" - there's<br>usually no need for users to see their password hash, and letting that
<br>be transmitted over the network so freely is a bit of a security<br>concern.)<br><br>(Note: if you already have aci's in your tree above this, including the<br>default aci's that come with the dir server, you may have other access
<br>granted that is added to this).<br><font color="#888888"><br> - Jeff<br></font><div class="Ih2E3d"><br><br><br><br>On Dec 10, 2007 12:48 PM, Clowser, Jeff (Contractor) <<br></div><div><div></div><div class="Wj3C7c">
<a href="mailto:jeff_clowser@fanniemae.com">jeff_clowser@fanniemae.com</a> <mailto:<a href="mailto:jeff_clowser@fanniemae.com">jeff_clowser@fanniemae.com</a>> > wrote:<br><br><br> Couple things here. First, avoid deny rules if at all possible
<br>- deny rules always take precedence, so you can *never* override a deny<br>rule with something to allow access that has been denied elsewhere.<br><br> Second, I think you are misunderstanding how ldap:///self works.
<br>ldap:///self basically says "These permissions are granted on the<br>targetted entry if I bind to the server as that target entry". In your<br>case, what your deny rule is saying is that if I bind as user1, I can't
<br>read, write, or even search for the user1 entry, and as a deny rule, you<br>can't create any other rule to ever allow user1 to see his own entry.<br><br> So, you've created a rule that says anyone can read/write/search
<br>to anything under ou=serviceaccounts, *except* user1 can't<br>read/write/search on his own entry.<br><br> BTW, this seems like a really bad idea. Forget about ACI's and<br>implementation for the moment - conceptually, what are you trying to do?
<br>Who should be able to do what? Are you saying you want anyone except<br>user1 to be able to have full access to anything under<br>ou=serviceaccounts?<br><br> To define your access controls, you should really figure out who
<br>you want to do what, then define aci's for each thing you want to allow,<br>such that they only *allow* just what you need, so you don't need any<br>kind of deny rules.<br><br> If you want to, for example, allow any user to edit any part of
<br>just their own record, put something like the following on the<br>ou=serviceaccounts entry:<br><br> aci:<br> (targetattr = "*")<br> (version 3.0;<br> acl "default aci for service accounts";
<br> allow (all)<br><br> (userdn=ldap:///self)<br> ;)<br><br> This says that if I bind as a user under ou=serviceaccounts, I<br>have full read/write/search access to the entry I bound as (i.e
. my<br>account).<br> However, I'd recommend making even that more restrictive (for<br>example, if all they really need to write to is their password, create<br>one aci to allow them to read/search all attributes except the
<br>userpassword, and one to allow write to the userpassword with userdn of<br>ldap:///self), etc. If you want all users to read other users entries,<br>create another aci that allows search/read access to ldap:///anyone (and
<br>at least make it targetattr!="userpassword"), and so on..<br><br> - Jeff<br><br><br>________________________________<br><br> From: <a href="mailto:fedora-directory-users-bounces@redhat.com">fedora-directory-users-bounces@redhat.com
</a><br>[mailto:<a href="mailto:fedora-directory-users-bounces@redhat.com">fedora-directory-users-bounces@redhat.com</a>] On Behalf Of Chun Tat<br>David Chu<br> Sent: Monday, December 10, 2007 11:37 AM<br> To:
<a href="mailto:fedora-directory-users@redhat.com">fedora-directory-users@redhat.com</a><br> Subject: Re: [Fedora-directory-users] Question about ACI<br><br><br> Hi guys,<br><br> Please see below for my original question.
<br><br> I spend a little more time reading "Chapter 6 - Managing Access<br>Control" from the RH Administrator Guide. At first, I thought it was my<br>placement of ACI that was wrong, but it seems like that's not the case
<br>from what I read. The book stated that "The precedence rule that<br>applies is that ACIs that deny access take precedence over ACIs that<br>allow access." If my root allows everything and then my leaf denies
<br>everything then I don't see why the add operation that I mentioned below<br>should work.<br><br> Let me clear up a little more in case there's any confusion.<br>The ou=serviceaccounts and cn=user1 entry is created by the
<br>"cn=Directory Manager" user. In my test, the root (ou=serviceaccounts),<br>I specified an ACI that allows all user to do anything. In my leaf<br>(cn=user1), I specified an ACI that denies everything for user1 by
<br>defining the bind rule as (ldap:///self).<br><br> When I logged in as user1, I'm able to add entry in the cn=user1<br>context. I am not sure why because I thought that user1 shouldn't have<br>any privilege to do anything due to my specified ACI.
<br><br> Any idea? Am I missing some obvious?<br><br> Thanks!<br><br> David<br><br><br> On Dec 7, 2007 6:28 PM, Chun Tat David Chu<br><<a href="mailto:beyonddc.storage@gmail.com">beyonddc.storage@gmail.com
</a>> wrote:<br><br><br> Hi guys,<br><br> I am trying to create an organizational unit and an user<br>with ACI, but it looks like my ACI is not defined correctly.<br> Below is my ldif.
<br><br> dn: ou=serviceaccounts,dc=test,dc=example,dc=com<br> changetype: add<br> objectclass: top<br> objectclass: organizationalunit<br> aci:<br>
(targetattr = "*")<br> (version 3.0;<br> acl "default aci for service accounts";<br> allow (all)<br> (userdn="ldap:///anyone")
<br> ;)<br><br> dn:<br>cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com<br> changetype: add<br> objectclass: top<br> objectclass: person<br>
sn: user1<br> userPassword: testing123<br> description: This is a test<br> aci:<br> (targetattr = "*")<br> (version 3.0
;<br> acl "user1";<br> deny (all)<br> (userdn="ldap:///self")<br> ;)<br><br> I create an organizational unit that allows all users to
<br>modify it, then I create user1 that denies everything.<br> I then use the below LDIF to perform a LDAP add<br>operation.<br><br> dn:<br>cn=testing123,cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com
<br> changetype: add<br> objectclass: top<br> objectclass: room<br><br> I use this ldapmodify command to perform the add<br>operation<br> ldapmodify -h hostname -p 1389 -D
<br>"cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com" -w testing123 -f<br>my_test.ldif -x<br><br> The add operation succeeded unexpectedly. The result<br>that I'm looking for should be not enough privilege to perform add
<br>operation.<br><br> Anyone knows what's wrong with my ACI setup?<br><br> Thanks!<br><br> David<br><br><br><br><br> --<br> Fedora-directory-users mailing list
<br> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-directory-users
</a><br><br><br><br><br><br>--<br>Fedora-directory-users mailing list<br><a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users" target="_blank">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br></div></div></blockquote></div><br>