directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Witzany <christ...@web.crofting.com>
Subject Re: Access Control
Date Tue, 25 Nov 2014 10:36:59 GMT
No I still cannot browse the subtree ...

On Thu, Nov 20, 2014 at 12:35 AM, Emmanuel Lécharny <elecharny@gmail.com>
wrote:

> Le 19/11/14 12:56, Christoph Witzany a écrit :
> > Hi guys!
> >
> > I need to create an Apache Directory Server installation with multiple
> > partitions.
> >
> > For each partition there should be one or more admin users that can
> > read/browse/edit only this partition.
> > Additional the partitions will contain organisational units, where again
> a
> > set of users can manage the respective subtree.
> >
> > If I understood the docs right this should be doable with Prescriptive
> ACIs.
> >
> > My first try at an ACI was something like that (in a subentry of
> > dc=kig1,dc=example,dc=com ):
> >
> > {
> >     identificationTag "kigAdmin",
> >     precedence 0,
> >     authenticationLevel simple,
> >     itemOrUserFirst itemFirst:
> >     {
> >         protectedItems
> >         {
> >             entry,
> >             allUserAttributeTypes,
> >             allUserAttributeTypesAndValues
> >         }
> >         ,
> >         itemPermissions
> >         {
> >             {
> >                 precedence 0,
> >                 userClasses
> >                 {
> >                     name {
> "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
> > }
> >                 }
> >                 ,
> >                 grantsAndDenials
> >                 {
> >                     grantRename,
> >                     grantExport,
> >                     grantRemove,
> >                     grantInvoke,
> >                     grantDiscloseOnError,
> >                     grantRead,
> >                     grantAdd,
> >                     grantBrowse,
> >                     grantImport,
> >                     grantCompare,
> >                     grantReturnDN,
> >                     grantModify,
> >                     grantFilterMatch
> >                 }
> >             }
> >         }
> >     }
> > }
>
> Have you tried with something like :
>
> {
>     identificationTag "kigAdmin",
>     precedence 0,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst:
>     {
>         userClasses
>         {
>             name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"}
>         },
>         userPermissions
>         {
>             {
>                 protectedItems
>                 {
>                     entry,
>                     allUserAttributeTypes,
>                     allUserAttributeTypesAndValues
>                 },
>                 grantsAndDenials
>                 {
>                     grantRename,
>                     grantExport,
>                     grantRemove,
>                     grantInvoke,
>                     grantDiscloseOnError,
>                     grantRead,
>                     grantAdd,
>                     grantBrowse,
>                     grantImport,
>                     grantCompare,
>                     grantReturnDN,
>                     grantModify,
>                     grantFilterMatch
>                 }
>             }
>         }
>     }
> }
>
> In this case, we tell that the uid=admin,ou=kig1ki1,... admin can
> see/update all the entries on the tree part which is associated with the
> subentry, and no other user.
>
> Can you tell me if it's any better ?
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message