[Freeipa-users] Custom ACI entries
Lucas Yamanishi
lyamanishi at sesda2.com
Wed May 16 23:07:48 UTC 2012
Hi everybody,
I've added some custom schema to my directory, but it's useless to me if
if I can't control read permissions on it. This is obviously a little
tricky since (Free)IPA allows everybody to ready everything by default.
With that, what's the best way to restrict access to user attributes?
Is there anything like this in the roadmap?
For the interim I've crafted some custom aci entries. Where should I
put them? Will they work? Here they are:
> aci: (targetattr =
> "attribute1 ||
> attribute2 ||
> attribute3")
> (version 3.0; acl "custom attributes base"; deny (all)
> (userdn = "ldap:///anyone" and
> userdn != "ldap:///self" and
> groupdn != "ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>
> aci: (targetattr =
> "attribute1 ||
> attribute2 ||
> attribute3")
> (version 3.0; acl "custom attributes update"; allow (add, read, write, search, delete)
> (userdn = "ldap:///self" or
> groupdn = "ldap:///cn=Manage custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
--
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
More information about the Freeipa-users
mailing list