[Fedora-directory-users] ACI
Richard Megginson
rmeggins at redhat.com
Sun Dec 11 21:11:43 UTC 2005
Craig White wrote:
>On Sun, 2005-12-04 at 17:44 -0500, Jeff Clowser wrote:
>
>
>>Craig White wrote:
>>
>>
>>
>>>I have personal address books...each user would have one - i.e.
>>>
>>>ou=AddressBook,uid=craig,ou=People,dc=azapple,dc=com
>>>ou=AddressBook,uid=jennifer,ou=People,dc=azapple,dc=com
>>>
>>>and my thinking is that each person can read/write/delete/etc. their own
>>>address book, authenticated users can read and anonymous is denied.
>>>
>>>
>>>
>>>
>>First, a comment on this: Does user craig really want user jennifer to
>>see his "personal" addressbooks? Typically, "personal" addressbooks are
>>only visible by the person that owns them. I know I'm questioning your
>>requirements rather than telling you how to implement what you want, but
>>thought I'd ask :)
>>
>>
>----
>finally got through my initial setup to work on these issues and can
>reply back.
>
>Most of my setups are for my clients and they do have workgroups where
>they would possibly need to share address books. So I generally have
>company wide address books and personal address books and permit at
>least some sharing of the personal address books. In addition, since the
>typical address book clients that people would use (Outlook/Thunderbird)
>are incapable of creating/editing entries, it requires some other
>application that some of the people are less than eager to use which
>means that the maintenance of them falls to their underlings
>----
>
>
>>>Thus I created 3 rules and they aren't working because an
>>>unauthenticated/anonymous bind still can view them...
>>>
>>>
>>>
>>>
>>My guess is that at the top of your tree, you have an aci that allows
>>anonymous to see stuff (probably something like anonymous can
>>read/search all but userpassword, etc). Aci's at the top are inherited
>>"down the tree", so they are visible because of that, not because of
>>your new aci's. It's usually hard to create a deny aci for a lower
>>branch of the tree that works without breaking something else, and I
>>always try to avoid deny aci's (because they always take precedence and
>>can never be overridden by any allow aci's, causing some potentially
>>unexpected results).
>>
>>
>----
>Yeah you are correct on all these accounts. Obviously the default rule
>is always to not allow whatever isn't expressly permitted and yes, there
>was the default anonymous allow rule that played into it.
>
>What I did discover was if I attached the following ACI to
>ou=AddressBook,dc=clsurvey,dc=com it doesn't work but if I attach it to
>dc=clsurvey,dc=com it does work.
>
>
I'm not sure why, but most of the time, the (target = ..) clause is not
necessary. acis have subtree scope - they apply to the entry containing
the aci and all children and decendents of that entry. So if the
following aci is in the entry dc=clsurvey,dc=com, you don't need the
(target....) clause.
>(targetattr = "*")
>(target = "ldap:///*,ou=AddressBook,dc=clsurvey,dc=com")
>(version 3.0;
>acl "AddressBook Administrator";
>allow (all)
>(userdn =
>"ldap:///uid=Administrator,ou=People,ou=Accounts,dc=clsurvey,dc=com")
>;)
>
>
>Thanks
>
>Craig
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051211/d000ccec/attachment.bin>
More information about the Fedora-directory-users
mailing list