[Fedora-directory-users] ACI

Jeff Clowser jclowser at unitedmessaging.com
Sun Dec 4 22:44:40 UTC 2005 

Craig White wrote:

>I have personal address books...each user would have one - i.e.
>
>ou=AddressBook,uid=craig,ou=People,dc=azapple,dc=com
>ou=AddressBook,uid=jennifer,ou=People,dc=azapple,dc=com
>
>and my thinking is that each person can read/write/delete/etc. their own
>address book, authenticated users can read and anonymous is denied.
>  
>
First, a comment on this:  Does user craig really want user jennifer to 
see his "personal" addressbooks?  Typically, "personal" addressbooks are 
only visible by the person that owns them.  I know I'm questioning your 
requirements rather than telling you how to implement what you want, but 
thought I'd ask :)

>Thus I created 3 rules and they aren't working because an
>unauthenticated/anonymous bind still can view them...
>  
>
My guess is that at the top of your tree, you have an aci that allows 
anonymous to see stuff (probably something like anonymous can 
read/search all but userpassword, etc).  Aci's at the top are inherited 
"down the tree", so they are visible because of that, not because of 
your new aci's.  It's usually hard to create a deny aci for a lower 
branch of the tree that works without breaking something else, and I 
always try to avoid deny aci's (because they always take precedence and 
can never be overridden by any allow aci's, causing some potentially 
unexpected results).

>These are the 3 rules (which are applied to ou=People with the
>expectation that each address book would inherit)...
>
>(targetattr = "*") (target =
>"ldap:///ou=AddressBook,uid=*,ou=People,dc=azapple,dc=com") (version
>3.0;acl "Personal Address Books Owner";allow (all)(userdn =
>"ldap:///self");)
>  
>
Keep in mind that self applies to the entry that is binding (i.e. the 
users entry), not entries under it - i.e. you are defining what the user 
can do to their own records, not the entries under the 
ou=addressbook,...  What I believe this is saying is that if the users 
entry is, say 
uid=craig,ou=addressbook,uid=something,ou=people,dc=azapple,dc=com, they 
can edit any part of their own entry, which is clearly not what you 
want.  (you want uid=craig,ou=people,dc=azapple,dc=com to edit anything 
under ou=addressbook,uid=craig,...).  So, since you are never binding as 
the addressbook entries themselves, the self rule doesn't let you edit 
those entries.

>(targetattr = "*") (target =
>"ldap:///ou=AddressBook,uid=*,ou=People,dc=azapple,dc=com") (version
>3.0;acl "Personal Address Books Non Owner";allow
>(read,compare,search)(userdn = "ldap:///all");)
>
>(targetattr = "") (target = "ldap:///ou=AddressBook,uid=*,ou=People,
>dc=azapple,dc=com") (version 3.0;acl "Personal Address Books";deny
>(all)(userdn = "ldap:///anyone");)
>  
>
OK - you have the deny rule, but you're targetattribute is "", which 
means no target attributes are defined.  The default rule (probably in 
dc=azapple,dc=com) probably allows to all but userpassword or such - 
anything it allows that this does not deny is allowed, so this 
effectively does nothing - you can make targetattr=*, but...  hmm - I 
never use deny, so I'm not sure if this will deny everyone (i.e. not 
just anonymous users, but _all_ users, irregardless how or if they are 
bound - like I said, deny can do unexpected things if you don't 
understand it really well).

>are these supposed to be separate rules or combined into 1 rule?
>  
>
Separate rules - to apply different things to different people (self, 
all, anyone) you have to have differnet rules.

>and lastly...despite the documentation, I can't get ldapsearch to return
>the list of ACI's...
>
>./ldapsearch -h localhost -D 'cn=Directory Manager' -w - '(aci=*)'
>  
>
aci's are operational attributes, which means you have to specifically 
ask for it - i.e.:

./ldapsearch -h localhost -D 'cn=Directory Manager' -w - '(aci=*)' aci

(note the aci added to the end.)

A couple ways to do what you want:
First, instead of putting the aci on the ou=people, put it on each 
ou=addressbook entry - i.e. something like:

dn: ou=addressbook,uid=craig,ou=people,dc=azapple,dc=com
ou: addressbook
objectclass: top
objectclass: organizationunit
aci: (targetattr = "*")  (version 3.0;acl "Personal Address Books 
Owner";allow (all)(userdn =
 "ldap:///uid=craig,ou=people,dc=azapple,dc=com");)
aci: (targetattr = "*")  (version 3.0;acl "Personal Address Books Non 
Owner";
 allow(read,compare,search)(userdn = "ldap:///all");)
aci: (targetattr = "*")  (version 3.0;acl "Personal Address Books";deny 
(all)(userdn = "ldap:///anyone");)

You don't need the target, because it defaults to the entry it's on, 
which is what you want.  I'm still not sure that the deny is gonna work 
right, but give it a try.  Note that you have to define the allow (all) 
to be the dn of the user you want.  You might be able to use 
ldap:///parent, but I think you would then have to bind as 
ou=addressbook,uid=craig... to create entries directly under 
ou=addressbook,uid=craig..., which you can't do.

Another way to do this is to create ou=addressbooks,dc=azapple,dc=com, 
or even a separate tree to hold personal address books (i.e. o=pab), 
then create something like ou=craig,ou=addressbook,dc=azapple,dc=com  
(or ou=craig,o=pab) to hold things in a separate place - in that way, 
you can remove default anonymous access from dc=azapple,dc=com, and set 
anonymous access as appropriate on ou=people..., ou=groups..., 
ou=addressbooks..., etc as you want them.  It makes cleanup of 
everything associated with a user a little more disjointed maybe, but 
it's a lot easier to manage/organize your aci's this way.  Might be able 
to use roles to make creating appropriate aci's easier also.

 - Jeff

More information about the Fedora-directory-users mailing list