directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: ACI with self and posixAccount
Date Tue, 01 May 2007 19:53:35 GMT
Here is a more compact formatted ACI:

{
  identificationTag "allowUserToChangeHisOrHerPassword_ACI",
  precedence 10, authenticationLevel simple,
  itemOrUserFirst userFirst:
  {
    userClasses {  thisEntry  },
    userPermissions
    {
      {
        protectedItems {  entry  },
        grantsAndDenials {  grantModify  }
      },
      {
        protectedItems {  allAttributeValues {  userPassword  }  },
        grantsAndDenials {  grantRemove, grantAdd  }
      }
    }
  }
}

BTW, for this ACI to work, the userPassword attribute should have an
existing value before the user tries to add a value. Because otherwise
it will mean the creation of the attribute, and the use will need a
grantAdd on the attributeType userPassword (which is still possible
with our ACI system).

On 5/1/07, Ersin Er <ersin.er@gmail.com> wrote:
> Hi,
>
> On 5/1/07, Martin Marcher <martin.marcher@gmail.com> wrote:
> > Hello,
> >
> > I'm playing around with the ACIs right now and followed the example in
> > the apache 1.0.1 docs (hope they still apply i'm on apacheds 1.5.0 now
> > since i need the dynamic schema after figuring out the ACI stuff)
> >
> > I'd like the following:
> >
> > cn=Manager,dc=example,dc=com can access everything in dc=example,dc=com (DONE)
> >
> > all posixAccount or inetOrgPerson objects in
> > ou=people,dc=example,dc=com should be allowed to change the password
> > of the "self" entry (sorry lacking better terms don't know if that's
> > appropriate) but noone else (except for Manager of course)
>
> First of all you can use such a subtreeSpecification:
>
> { specificationFilter or:{ item:posixAccount, item:inetOrgPerson } }
>
> And you may have such a prescriptiveACI:
>
> {
>   identificationTag "allowUserToChangeHisOrHerPassword_ACI",
>   precedence 10, authenticationLevel simple,
>   itemOrUserFirst userFirst: {
>     userClasses {
>       thisEntry
>     },
>     userPermissions {
>       {
>         protectedItems {
>           entry
>         },
>         grantsAndDenials {
>           grantModify
>         }
>       },
>       {
>         protectedItems {
>           allAttributeValues { userPassword }
>         },
>         grantsAndDenials {
>           grantRemove, grantAdd
>         }
>       }
>     }
>   }
> }
>
> If you want to allow the use to be able to read his/her password value
> you need to grantRead in the second UserPermission.
>
> > This is where I'm not sure how to tell apacheds that this self entry
> > can access/change the password but noone else.
> >
> > And a few other restrictions like not changing the address or similiar
> > stuff which i was able to figure out.
> >
> >
> > The second thing is that LDAPStudio won't show a posixAccount or
> > posixGroup objectClass, was it dropped in 1.5 or am I doing something
> > wrong? I'll be happy to provide details but I'm not too proficient
> > with ldap right now.
> >
> > thanks
> > --
> > Martin Marcher
> > martin.marcher@gmail.com
> > http://www.mycorners.com
> > https://www.xing.com/profile/Martin_Marcher
> > http://www.linkedin.com/in/martinmarcher
> > http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
> > http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added
> >
>
> HTH,
> --
> Ersin
>


-- 
Ersin

Mime
View raw message