[Freeipa-users] Custom ACI entries

Lucas Yamanishi lyamanishi at sesda2.com
Thu May 17 16:34:46 UTC 2012 

On 05/17/2012 09:34 AM, Rob Crittenden wrote:
> ...
> 
> The ACIs need a little bit of work. The name of the aci needs to
> match the name of the ACI that permission is being granted to, with a
> prefix of permission:. So it should look more like:
> 
> aci: (targetattr =  "attribute1 ||  attribute2 ||  attribute3") 
> (version 3.0; acl "permission:Read custom attributes"; deny (all) 
> (userdn = "ldap:///anyone" and userdn != "ldap:///self" and groupdn
> != "ldap:///cn=Read custom 
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
> 
> For the second ACI you don't need add and delete, those are
> entry-level permissions. You might want to add compare though.
> 
> We also tend to separate things you can do to your own entry from
> things you can do to others. So we would break this out into some
> selfservice ACIs and permission ACIs. Not saying what you're doing
> won't work.
> 
> rob

BTW, what's the origin of the naming restrictions?  Is it an IPA thing?


Here are my updated ACIs:

<pre>

dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
  "privateAttribute1 ||
  privateAttribute2 ||
  privateAttribute3 ||
  privateAttribute4")
 (version 3.0; acl "permission:Read custom attributes"; deny (all)
  (userdn = "ldap:///anyone" and
  groupdn != "ldap:///cn=Read custom
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)

dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
  "privateAttribute1 ||
  privateAttribute2")
 (version 3.0; acl "permission:Does this need a special name?"; allow
(read, search, compare)
  userdn = "ldap:///self";)

dn: dc=sesda2,dc=com
changetype: modify
add: aci
aci: (targetattr =
  "privateAttribute1 ||
  privateAttribute2 ||
  privateAttribute3 ||
  privateAttribute4")
 (version 3.0; acl "permission:Manage custom attributes"; allow
(read, write, search, compare)
  groupdn = "ldap:///cn=Manage custom
attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com";)

</pre>


-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A

More information about the Freeipa-users mailing list