[Freeipa-users] Custom ACI entries

Rob Crittenden rcritten at redhat.com
Thu May 17 13:34:31 UTC 2012 

Lucas Yamanishi wrote:
> Hi everybody,
>
> I've added some custom schema to my directory, but it's useless to me if
> if I can't control read permissions on it.  This is obviously a little
> tricky since (Free)IPA allows everybody to ready everything by default.
>   With that, what's the best way to restrict access to user attributes?
> Is there anything like this in the roadmap?

Right now there is are no plans to support deny ACIs natively in the 
permission plugin. That isn't set into stone, we just need some convincing.

The best way to do this is what you've done, manually creating ACIs. The 
problem with deny ACIs is they can get very hard to unwind when trying 
to figure out why things aren't working.

> For the interim I've crafted some custom aci entries.  Where should I
> put them?  Will they work?  Here they are:
>
>> aci: (targetattr =
>>    "attribute1 ||
>>    attribute2 ||
>>    attribute3")
>>   (version 3.0; acl "custom attributes base"; deny (all)
>>    (userdn = "ldap:///anyone" and
>>    userdn != "ldap:///self" and
>>    groupdn != "ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>>
>> aci: (targetattr =
>>    "attribute1 ||
>>    attribute2 ||
>>    attribute3")
>>   (version 3.0; acl "custom attributes update"; allow (add, read, write, search, delete)
>>    (userdn = "ldap:///self" or
>>    groupdn = "ldap:///cn=Manage custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>
>

We put all ACIs into the basedn, so for you dc=sesda2,dc=com.

This is going to be tricky since you want to delegate these but you 
can't create them natively. This means you need to create both the aci 
and the permission entry.

A sample permission would look like:

dn: cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
cn: Read custom attributes

The ACIs need a little bit of work. The name of the aci needs to match 
the name of the ACI that permission is being granted to, with a prefix 
of permission:. So it should look more like:

aci: (targetattr =  "attribute1 ||  attribute2 ||  attribute3")
  (version 3.0; acl "permission:Read custom attributes"; deny (all)
   (userdn = "ldap:///anyone" and
   userdn != "ldap:///self" and
   groupdn != "ldap:///cn=Read custom 
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)

For the second ACI you don't need add and delete, those are entry-level 
permissions. You might want to add compare though.

We also tend to separate things you can do to your own entry from things 
you can do to others. So we would break this out into some selfservice 
ACIs and permission ACIs. Not saying what you're doing won't work.

rob

More information about the Freeipa-users mailing list