[Freeipa-users] limit access to a specific CN

Wed Feb 16 14:55:06 UTC 2011

Peter Doherty wrote:
>
> On Feb 16, 2011, at 04:10 , Sumit Bose wrote:
>
>> On Tue, Feb 15, 2011 at 06:30:51PM -0500, Peter Doherty wrote:
>>>
>>> On Feb 15, 2011, at 14:45 , Simo Sorce wrote:
>>>
>>>> On Tue, 15 Feb 2011 14:09:07 -0500
>>>> Peter Doherty <doherty at hkl.hms.harvard.edu> wrote:
>>>>
>>>>> On Feb 15, 2011, at 14:02 , Rob Crittenden wrote:
>>>>>
>>>>>> Peter Doherty wrote:
>>>>>>> Hello, I'm running Fedora 14 and freeipa 1.2.2-6
>>>>>>>
>>>>>>>
>>>>>>> Can I create a new cn/nsContainer (cn=subgroup,dc=example,dc=com)
>>>>>>> and then create an account that can edit that cn as much as they
>>>>>>> want,
>>>>>>> <snip>
>>>>>>>
>>>>>>
>>>>>> What would you put into this container?
>>>>>>
>>>>>> <snip>
>>>>>>
>>>>>> rob
>>>>>
>>>>> The first thing I'm looking to do with it is have a web server that
>>>>> has account information stored in LDAP, and to allow users to to
>>>>> ldap authentication. The users logging into the web server would be
>>>>> <snip>
>>>>
>>>> It is possible to do using LDAP tools and then setting an ACI on the
>>>> container to give the user you want full control on that container.
>>>>
>>>> Simo.
>>>
>>> Simo,
>>>
>>> This gave me a good starting point, and after reading some more, I'm
>>> starting to wrap my brain around what I want to do and how to do it.
>>> LDAP has a steep learning curve, IMHO.
>>> Can you recommend any GUI tools for creating/modifying the ACI for
>>> the container? I started to try and create an ACI using the ones
>>> within FreeIPA as a reference, but if there's a GUI that would be
>>> useful too. I checked out Apache Directory Studio which looks nice,
>>> but doesn't seem to support the schema that FreeIPA is using.
>>
>> I use Apache Directory Studio to edit FreeIPA LDAP objects and I can
>> also see and edit ACIs. The schema shouldn't be a problem, because the
>> editor can read the schema data from the LDAP server. Which kind of
>> problems are you seeing ?
>
> Well, Apache Directory Studio has ACI editor (looks like this:
> http://directory.apache.org/studio/screenshots.data/aci_visual_1.png )
> so you don't edit the text directly, but rather use a GUI, which builds
> the policy in text and inserts it when you're done editing.
> But it seems to use a different schema than FreeIPA is using...
>
> Peter

You can read about 389-ds acis at:

http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Managing_Access_Control

It has 3 basic parts: target, permissions, bind rule

In this case the bind rule is the user you want to allow editing.

The rest depends on whether you want to restrict your user at all. If 
you want it to be able to do anything you can probably get away with 
putting something like this into cn=yourcontainer,dc=example,dc=com (I 
haven't tested this):

aci: (targetattr="*")(version 3.0; acl "Apache access Account"; allow 
(all) userdn= "ldap:///uid=apache,cn=yourcontainer,dc=example,dc=com";)

rob