directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Access Control
Date Wed, 19 Nov 2014 23:35:54 GMT
Le 19/11/14 12:56, Christoph Witzany a écrit :
> Hi guys!
>
> I need to create an Apache Directory Server installation with multiple
> partitions.
>
> For each partition there should be one or more admin users that can
> read/browse/edit only this partition.
> Additional the partitions will contain organisational units, where again a
> set of users can manage the respective subtree.
>
> If I understood the docs right this should be doable with Prescriptive ACIs.
>
> My first try at an ACI was something like that (in a subentry of
> dc=kig1,dc=example,dc=com ):
>
> {
>     identificationTag "kigAdmin",
>     precedence 0,
>     authenticationLevel simple,
>     itemOrUserFirst itemFirst:
>     {
>         protectedItems
>         {
>             entry,
>             allUserAttributeTypes,
>             allUserAttributeTypesAndValues
>         }
>         ,
>         itemPermissions
>         {
>             {
>                 precedence 0,
>                 userClasses
>                 {
>                     name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
> }
>                 }
>                 ,
>                 grantsAndDenials
>                 {
>                     grantRename,
>                     grantExport,
>                     grantRemove,
>                     grantInvoke,
>                     grantDiscloseOnError,
>                     grantRead,
>                     grantAdd,
>                     grantBrowse,
>                     grantImport,
>                     grantCompare,
>                     grantReturnDN,
>                     grantModify,
>                     grantFilterMatch
>                 }
>             }
>         }
>     }
> }

Have you tried with something like :

{
    identificationTag "kigAdmin",
    precedence 0,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses
        {
            name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"}
        },
        userPermissions
        {
            {
                protectedItems
                {
                    entry,
                    allUserAttributeTypes,
                    allUserAttributeTypesAndValues
                },
                grantsAndDenials
                {
                    grantRename,
                    grantExport,
                    grantRemove,
                    grantInvoke,
                    grantDiscloseOnError,
                    grantRead,
                    grantAdd,
                    grantBrowse,
                    grantImport,
                    grantCompare,
                    grantReturnDN,
                    grantModify,
                    grantFilterMatch
                }
            }
        }
    }
}

In this case, we tell that the uid=admin,ou=kig1ki1,... admin can
see/update all the entries on the tree part which is associated with the
subentry, and no other user.

Can you tell me if it's any better ?



Mime
View raw message