[Fedora-directory-users] ACI to restrict access to sensitive attributes.

Rich Megginson rmeggins at redhat.com
Thu Jul 28 20:20:20 UTC 2005

By default, FDS will restrict access to everything - that is, you don't 
need to have an explicit deny unless you have another ACI somewhere that 
allows other attributes.  ACIs work together in this way - when there is 
a rule that allows some access and a rule that explicitly denies that 
same access, the deny rule wins.  In your case, if this is the only ACI, 
you don't need the deny clause, you could just do this:
(target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu")
(targetattr ="employeeNumber") 
(version 3.0;acl "EmployeeNumber";
allow (read) userdn="ldap:///self" and authmethod="sasl gssapi";

Alastair Neil wrote:

> I am struggling with setting ACIs to restrict access to certain attributes
> I would like the employeenumber  attribute to be visible only to the 
> user and
> only if they are authenticated via sasl gssapi. I have tried several 
> varients of the following:
> (target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu")
> (targetattr ="employeeNumber") 
> (version 3.0;acl "EmployeeNumber";
> deny (all) userdn="ldap:///anyone" |
> allow (read) userdn="ldap:///self" and authmethod="sasl gssapi";
> )
> this one seems to deny access regardless of the authmethod or bindbd used.
> Anyone got any pointers?
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050728/5fb02755/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050728/5fb02755/attachment.bin>

More information about the Fedora-directory-users mailing list