directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Przybylski <mi...@gimmethebrain.net>
Subject Re: [ApacheDS] Protecting entries with specific objectClass attribute values
Date Tue, 07 Jan 2014 15:52:22 GMT
Hello, Kiran,

Thank you for the reply.

Performing all deletes with a separate role is a reasonable compromise.

Thank you for the help.

Best regards,
Mike Przybylski

On Jan 7, 2014, at 1:56 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:

> On Tue, Jan 7, 2014 at 3:52 AM, Mike Przybylski <mikep@gimmethebrain.net>wrote:
> 
>> Hello,
>> 
>> I’m trying to lock down what my (Atlassian) Crowd server can do to my
>> directory, and one of the things I DON’T want my crowd server to do is
>> delete any users with objectClass=posixAccount.
>> 
>> However, the following…
>> 
>>                protectedItems
>>                {
>>                    entry,
>>                    attributeValue {objectclass=posixAccount }
>>                }
>>                ,
>>                grantsAndDenials { denyRemove }
>> 
>> …prevents the deletion of any entries.
>> 
>> Is protecting an entry with a specific objectClass attribute value even
>> possible?  If so, how do I configure the prescriptiveACI properly?
>> 
>> AFAIK, this is not possible, instead if you want to prevent the user used
> by Crowd server to connect
> to the directory server from deleting entries then add a special role to
> that user and apply the below
> given ACI (forget not to replace the value of userGroup)
> 
> {
>    identificationTag "preventEntryDelete",
>    precedence 15,
>    authenticationLevel simple,
>    itemOrUserFirst userFirst:
>    {
>        userClasses
>        {
>            userGroup { "cn=Operator,ou=groups,dc=example,dc=com" }
>        }
>        ,
>        userPermissions
>        {
>            {
>                protectedItems { entry },
>                grantsAndDenials
>                {
>                    grantFilterMatch,
>                    denyRemove,
>                    grantBrowse,
>                    grantRead,
>                    grantReturnDN
>                }
>            }
>        }
>    }
> }
> 
> HTH
> 
> Best regards,
>> Mike Przybylski
> 
> 
> 
> 
> -- 
> Kiran Ayyagari
> http://keydap.com


Mime
View raw message