directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] Protecting entries with specific objectClass attribute values
Date Tue, 07 Jan 2014 09:56:13 GMT
On Tue, Jan 7, 2014 at 3:52 AM, Mike Przybylski <mikep@gimmethebrain.net>wrote:

> Hello,
>
> I’m trying to lock down what my (Atlassian) Crowd server can do to my
> directory, and one of the things I DON’T want my crowd server to do is
> delete any users with objectClass=posixAccount.
>
> However, the following…
>
>                 protectedItems
>                 {
>                     entry,
>                     attributeValue {objectclass=posixAccount }
>                 }
>                 ,
>                 grantsAndDenials { denyRemove }
>
> …prevents the deletion of any entries.
>
> Is protecting an entry with a specific objectClass attribute value even
> possible?  If so, how do I configure the prescriptiveACI properly?
>
> AFAIK, this is not possible, instead if you want to prevent the user used
by Crowd server to connect
to the directory server from deleting entries then add a special role to
that user and apply the below
given ACI (forget not to replace the value of userGroup)

{
    identificationTag "preventEntryDelete",
    precedence 15,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses
        {
            userGroup { "cn=Operator,ou=groups,dc=example,dc=com" }
        }
        ,
        userPermissions
        {
            {
                protectedItems { entry },
                grantsAndDenials
                {
                    grantFilterMatch,
                    denyRemove,
                    grantBrowse,
                    grantRead,
                    grantReturnDN
                }
            }
        }
    }
}

HTH

Best regards,
> Mike Przybylski




-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message