directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: ACI with self and posixAccount
Date Tue, 01 May 2007 19:45:22 GMT
Hi,

On 5/1/07, Martin Marcher <martin.marcher@gmail.com> wrote:
> Hello,
>
> I'm playing around with the ACIs right now and followed the example in
> the apache 1.0.1 docs (hope they still apply i'm on apacheds 1.5.0 now
> since i need the dynamic schema after figuring out the ACI stuff)
>
> I'd like the following:
>
> cn=Manager,dc=example,dc=com can access everything in dc=example,dc=com (DONE)
>
> all posixAccount or inetOrgPerson objects in
> ou=people,dc=example,dc=com should be allowed to change the password
> of the "self" entry (sorry lacking better terms don't know if that's
> appropriate) but noone else (except for Manager of course)

First of all you can use such a subtreeSpecification:

{ specificationFilter or:{ item:posixAccount, item:inetOrgPerson } }

And you may have such a prescriptiveACI:

{
  identificationTag "allowUserToChangeHisOrHerPassword_ACI",
  precedence 10, authenticationLevel simple,
  itemOrUserFirst userFirst: {
    userClasses {
      thisEntry
    },
    userPermissions {
      {
        protectedItems {
          entry
        },
        grantsAndDenials {
          grantModify
        }
      },
      {
        protectedItems {
          allAttributeValues { userPassword }
        },
        grantsAndDenials {
          grantRemove, grantAdd
        }
      }
    }
  }
}

If you want to allow the use to be able to read his/her password value
you need to grantRead in the second UserPermission.

> This is where I'm not sure how to tell apacheds that this self entry
> can access/change the password but noone else.
>
> And a few other restrictions like not changing the address or similiar
> stuff which i was able to figure out.
>
>
> The second thing is that LDAPStudio won't show a posixAccount or
> posixGroup objectClass, was it dropped in 1.5 or am I doing something
> wrong? I'll be happy to provide details but I'm not too proficient
> with ldap right now.
>
> thanks
> --
> Martin Marcher
> martin.marcher@gmail.com
> http://www.mycorners.com
> https://www.xing.com/profile/Martin_Marcher
> http://www.linkedin.com/in/martinmarcher
> http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
> http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added
>

HTH,
-- 
Ersin

Mime
View raw message