<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 05/28/2014 05:08 PM, Martin Kosek
wrote:<br>
</div>
<blockquote cite="mid:5385FC04.6000304@redhat.com" type="cite">
<pre wrap="">On 05/28/2014 05:03 PM, Ludwig Krispenz wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On 05/28/2014 04:56 PM, Martin Kosek wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 05/28/2014 04:50 PM, Simo Sorce wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Simo, I hazily remember discussing that we should only allow specific
attributes on add, otherwise users can add entries with any extra
objectclasses and attributes. Did we come to a conclusion?
I might have confused targetattr with targetattrfilter in my notes;
since I see targetarr is ineffective.
</pre>
</blockquote>
<pre wrap="">Yes we need to restrict at least the allowed objectclasses I think.
Simo.
</pre>
</blockquote>
<pre wrap="">We do not have a support for targetattrfilter, I do not think this was ever
tested. This part of ACI is also not very well documented, I think Petr found
just one notice in the DS documentation about targetattrfilter.
</pre>
</blockquote>
<pre wrap="">It is in chapter 13.2.3.5 in
<a class="moz-txt-link-freetext" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Creating_ACIs_Manually-Defining_Targets">https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html#Creating_ACIs_Manually-Defining_Targets</a>
and it is for unknown reasons: targattrfilters
</pre>
</blockquote>
<pre wrap="">
Right, this is what I (and Petr) was talking about. The doc contain just this
single one line of information about targetattrfilters.</pre>
</blockquote>
Well, it is not much, but more than one line :-)<br>
<br>
<blockquote cite="mid:5385FC04.6000304@redhat.com" type="cite">
<h4 class="title">13.3.2.5. Targeting Attribute Values Using LDAP
Filters</h4>
<div class="para"> You can use access control to target specific
attribute values. This means that you can grant or deny
permissions on an attribute if that attribute's value meets the
criteria defined in the ACI. An ACI that grants or denies access
based on an attribute's value is called a value-based ACI. </div>
<div class="para"> For example, you might grant all users in your
organization permission to modify the <em class="parameter"><code>nsroledn</code></em>
attribute in their own entry. However, you would also want to
ensure that they do not give themselves certain key roles, such
as <code class="command">Top Level Administrator</code>. LDAP
filters are used to check that the conditions on attribute
values are satisfied. </div>
<div class="para"> To create a value-based ACI, you must use the <code
class="command">targattrfilters</code> keyword with the
following syntax: </div>
(targattrfilters="add=attr1:F1 && attr2:F2... &&
attrn:Fn,del=attr1:F1 && <em class="replaceable"><code>attr2</code></em>:<em
class="replaceable"><code>F2</code></em> ... && <em
class="replaceable"><code>attrn</code></em>:<em
class="replaceable"><code>Fn</code></em>")
<div xmlns:d="http://docbook.org/ns/docbook" class="itemizedlist">
<ul>
<li class="listitem">
<div class="para"> <code class="command">add</code>
represents the operation of creating an attribute. </div>
</li>
<li class="listitem">
<div class="para"> <code class="command">del</code>
represents the operation of deleting an attribute. </div>
</li>
<li class="listitem">
<div class="para"> <span class="emphasis"><em>attrx</em></span>
represents the target attributes. </div>
</li>
<li class="listitem">
<div class="para"> <span class="emphasis"><em>Fx</em></span>
represents filters that apply only to the associated
attribute. </div>
</li>
</ul>
</div>
<div class="para"> When creating an entry, if a filter applies to
an attribute in the new entry, then each instance of that
attribute must satisfy the filter. When deleting an entry, if a
filter applies to an attribute in the entry, then each instance
of that attribute must also satisfy the filter. </div>
<div class="para"> When modifying an entry, if the operation adds
an attribute, then the add filter that applies to that attribute
must be satisfied; if the operation deletes an attribute, then
the delete filter that applies to that attribute must be
satisfied. If individual values of an attribute already present
in the entry are replaced, then both the add and delete filters
must be satisfied. </div>
<div class="para"> For example, consider the following attribute
filter: </div>
(targattrfilters="add=nsroledn:(!(nsroledn=cn=superAdmin))
&& telephoneNumber:(telephoneNumber=123*)")
<div class="para"> This filter can be used to allow users to add
any role (<em class="parameter"><code>nsroledn</code></em>
attribute) to their own entry, except the <code class="command">superAdmin</code>
role. It also allows users to add a telephone number with a 123
prefix. </div>
<div xmlns:d="http://docbook.org/ns/docbook" class="note">
<div class="admonition_header">
<p><strong><br>
</strong></p>
</div>
</div>
<pre wrap=""> Try googling that and
you won't get much more.
Just for completeness, posting one of the top findings:
Bug 1032767 - Examples of the targetattrfilters ACI keyword need to be documented
Martin
</pre>
</blockquote>
<br>
</body>
</html>