[Fedora-directory-users] what's wrong with this ACI?

Chen Shaopeng chen_shaopeng at idsignet.com
Fri Nov 4 09:10:48 UTC 2005 

speedy zinc wrote:
> I've created two user entries under People:
> 
> Test User: uid=testuser
> Jane Doe : uid=JDoe
> 
> Here's what I'm trying to achieve with access control:
> 
> - Turn off anon access to the entry Test User
> - Allow full access to Test User on Test User
> - Allow (read, search, compare) to JDoe on Test User,
> and
> no other users
> - Allow full access to "cn=Directory Manager" on Test 
> User.
> - Anon access is still allowed on other entries
> 
> So, here is the list of ACIs (besides the inherited
> ones)
> that I've created on the entry Test User:
> 
> (targetattr = "*") (version 3.0;acl "self";allow
> (all)(userdn = "ldap:///uid=testuser,ou=People,
> dc=dummy,dc=com");)
> 
> (targetattr != "userPassword") (version 3.0;acl "No
> anonymous access";deny (all)(userdn =
> "ldap:///anyone");)
> 
> (targetattr = "*") (target =
> "ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
> (version 3.0;acl "Allow JDoe";allow
> (read,compare,search)(userdn =
> "ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
> 
> With the ACIs above, it seems that the "No anonymous
> access"
> is taking precendence over the other two. Even the
> "Test 
> User" does not have access to its own data, and JDoe 
> certainly does not either. The only user who has
> access 
> is the Directory Manager.
> 
> How do I achieve my goals with ACI?
> 

Note that ACIs are logically ORed during evaluation. And "deny"
always takes precedence over "allow". So, your ACI
which [deny(all)(userdn="ldap:///anyone")] will take precendence
over the other two. Therefore, even Test User is denied reading
his own data.

You can combine the 3 ACIs above into the following:

(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com")
(version 3.0;acl "Self and JDoe (but no anon to all)";
deny(all)(userdn != "ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
ldap://uid=JDoe,ou=People,dc=dummy,dc=com");)

This tells the server to deny to all on that specific target except
if userdn is "testuser" or "JDoe" .

Hope that helps.

csp
-- 
Chen Shaopeng
http://www.idsignet.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20051104/b975e726/attachment.sig>

More information about the Fedora-directory-users mailing list