[Freeipa-users] Custom ACI entries
Lucas Yamanishi
lyamanishi at sesda2.com
Thu May 17 16:34:46 UTC 2012
On 05/17/2012 09:34 AM, Rob Crittenden wrote:
> ...
>
> The ACIs need a little bit of work. The name of the aci needs to
> match the name of the ACI that permission is being granted to, with a
> prefix of permission:. So it should look more like:
>
> aci: (targetattr = "attribute1 || attribute2 || attribute3")
> (version 3.0; acl "permission:Read custom attributes"; deny (all)
> (userdn = "ldap:///anyone" and userdn != "ldap:///self" and groupdn
> != "ldap:///cn=Read custom
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
>
> For the second ACI you don't need add and delete, those are
> entry-level permissions. You might want to add compare though.
>
> We also tend to separate things you can do to your own entry from
> things you can do to others. So we would break this out into some
> selfservice ACIs and permission ACIs. Not saying what you're doing
> won't work.
>
> rob
BTW, what's the origin of the naming restrictions? Is it an IPA thing?
Here are my updated ACIs:
<pre>
dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
"privateAttribute1 ||
privateAttribute2 ||
privateAttribute3 ||
privateAttribute4")
(version 3.0; acl "permission:Read custom attributes"; deny (all)
(userdn = "ldap:///anyone" and
groupdn != "ldap:///cn=Read custom
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
"privateAttribute1 ||
privateAttribute2")
(version 3.0; acl "permission:Does this need a special name?"; allow
(read, search, compare)
userdn = "ldap:///self";)
dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
"privateAttribute1 ||
privateAttribute2 ||
privateAttribute3 ||
privateAttribute4")
(version 3.0; acl "permission:Manage custom attributes"; allow
(read, write, search, compare)
groupdn = "ldap:///cn=Manage custom
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com";)
</pre>
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
More information about the Freeipa-users
mailing list