[Fedora-directory-users] roles and access control
rmeggins at redhat.com
Tue Jun 14 21:56:54 UTC 2005
Gary Mann wrote:
> a question: we have a requirement where only users that have a role
> are able to see role membership. so if i have role A, i can see the
> membership for role A (search on nsRole=<roleA>) but cannot
> necessarily see role B members, etc. the same restriction applies
> when pulling the nsRole attribute.
> is there any way (via aci) to support this? i've implemented a plugin
> (actually 2 - a computed attribute and preop) that supports this but
> wanted to make sure that i wasn't missing something in aci setup that
> would accomplish the same thing.
Perhaps by using a targetfilter? e.g. assuming the role definition
entry is cn=MyRole,ou=people,dc=example,dc=com
aci: (targetattr="uid ||
3.0; acl "Allow people to see other role members"; allow (read, search,
compare) roledn = "ldap:///cn=MyRole,ou=people,dc=example,dc=com";)
This allows people who are a member of MyRole to see the attributes uid
and cn in any entry under ou=people which matches nsRole=cn=myRole,....
(i.e. any entry which belongs to that role).
I haven't tried it out but this or something like this should work.
See here for more info
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
More information about the Fedora-directory-users