Complicated ACI Definitions

Email lists > General discussion list for the Fedora Directory server project.

Thread: Complicated ACI Definitions

Search this list only Search all lists
Complicated ACI Definitions
	2007-03-30 11:57:18

Or maybe it's not so complicated and I don't know how. ;) This is what I'm trying to accomplish: Users who are a member of the group 'cn=support' can perform ALL operations on 'userPassword';, except on targets which are a member of group 'cn=admins' or 'cn=bosses'.  Is this possible?  I can't figure out how. Thanks in advance! --BO
Re: Complicated ACI Definitions
	2007-04-02 11:09:38

Here's what I'm starting with: (targetattr = "userPassword" ) (target = "ldap:///dc=example,dc=com") (version 3.0; acl "Support can change passwords"; allow (all) (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) I just can't figure out how to write the exception. --BO On 3/30/07, Bjorn Oglefjorn < sys.mailinggmail.com">sys.mailinggmail.com> wrote: Or maybe it's not so complicated and I don't know how. ;) This is what I'm trying to accomplish: Users who are a member of the group 'cn=support' can perform ALL operations on 'userPassword';, except on targets which are a member of group 'cn=admins' or 'cn=bosses'.  Is this possible?  I can't figure out how. Thanks in advance! --BO
Re: Re: Complicated ACI Definitions
	2007-04-02 11:17:49
Bjorn Oglefjorn wrote: > Here's what I'm starting with: > > (targetattr = "userPassword" ) > (target = "ldap:///dc=example,dc=com") > (version 3.0; > acl "Support can change passwords"; > allow (all) > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com"); ) > > I just can't figure out how to write the exception. You can add a separate deny aci - deny takes precedence over allow. > --BO > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailinggmail.com > <mailto:sys.mailinggmail.com>> wrote: > > Or maybe it's not so complicated and I don't know how. ;) > > This is what I'm trying to accomplish: > > Users who are a member of the group 'cn=support' > can perform ALL operations on 'userPassword', > except on targets which are a member of group 'cn=admins' or > 'cn=bosses'. > > Is this possible? I can't figure out how. Thanks in advance! > --BO > > > ------------------------------------------------------------ ------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-usersredhat.com > https://www.redhat.com/mailman/listinfo/fedora-dir ectory-users > -- Fedora-directory-users mailing list Fedora-directory-usersredhat.com https://www.redhat.com/mailman/listinfo/fedora-dir ectory-users

Re: Re: Complicated ACI Definitions
	2007-04-02 11:26:45

Thanks for the response Richard.  This helps some, but how do I target the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? Thanks again, --BO On 4/2/07, Richard Megginson < rmegginsredhat.com">rmegginsredhat.com> wrote: Bjorn Oglefjorn wrote: >; Here's what I'm starting with: > > (targetattr = "userPassword" ) > (target = "ldap:///dc=example,dc=com") > (version 3.0; > acl "Support can change passwords"; > allow (all) > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) >; > I just can't figure out how to write the exception. You can add a separate deny aci - deny takes precedence over allow. > --BO > > On 3/30/07, * Bjorn Oglefjorn* < sys.mailinggmail.com">sys.mailinggmail.com > <mailto: sys.mailinggmail.com">sys.mailinggmail.com>> wrote: > >    Or maybe it's not so complicated and I don't know how. ;) > >     This is what I'm trying to accomplish: > > ;   Users who are a member of the group 'cn=support' > ;   can perform ALL operations on 'userPassword';, >    except on targets which are a member of group 'cn=admins' or >    'cn=bosses'. > >    Is this possible?  I can't figure out how. Thanks in advance! > ; --BO > > > ------------------------------------------------------------------------ >; > -- > Fedora-directory-users mailing list > Fedora-directory-usersredhat.com"> Fedora-directory-usersredhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-usersredhat.com">Fedora-directory-usersredhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Re: Re: Complicated ACI Definitions
	2007-04-02 13:26:12

That's a shame.  Thanks for the push in the right direction though. --BO On 4/2/07, Richard Megginson < rmegginsredhat.com">rmegginsredhat.com > wrote: Bjorn Oglefjorn wrote: >; Thanks for the response Richard.  This helps some, but how do I target > the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? Hmm - not sure. ; I don't think this is possible.  It doesn't appear that groupdn is supported in a target clause.  If all of the entries could be identified by a search filter, you could use a (targetfilter=...)  If you use Roles instead of groups, you could use targetfilter=(nsRole=dn_of_role_definition)). > > Thanks again, >; --BO > > On 4/2/07, * Richard Megginson* < rmegginsredhat.com">rmegginsredhat.com > <mailto: rmegginsredhat.com">rmegginsredhat.com>> wrote: >; > ;   Bjorn Oglefjorn wrote: >     > Here's what I'm starting with: > ;   > >  ; > (targetattr = "userPassword" ) >    > (target = "ldap:///dc=example,dc=com") > ;   > (version 3.0; >;     > acl "Support can change passwords"; > ;   > allow (all) > ;   > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) >;     > >  ; > I just can't figure out how to write the exception. >    You can add a separate deny aci - deny takes precedence over allow. >;     > --BO >  ; > >  ; > On 3/30/07, * Bjorn Oglefjorn* < sys.mailinggmail.com">sys.mailinggmail.com >    <mailto: sys.mailinggmail.com">sys.mailinggmail.com> >    > <mailto: sys.mailinggmail.com">sys.mailinggmail.com <mailto: sys.mailinggmail.com"> sys.mailinggmail.com>>>; > ;   wrote: >;     > >  ; > ; Or maybe it's not so complicated and I don't know how. ;) >    > >  ; > ; This is what I'm trying to accomplish: >    > >  ; > ; Users who are a member of the group 'cn=support' >   > ; can perform ALL operations on 'userPassword';, >    > ; except on targets which are a member of group 'cn=admins' or >  ; > ; 'cn=bosses'. >   > >  ; > ; Is this possible?  I can't figure out how. Thanks in advance! >     > ; --BO >  ; > >  ; > >  ; > >;     ------------------------------------------------------------------------ >;     > >  ; > -- >    > Fedora-directory-users mailing list >  ; > Fedora-directory-usersredhat.com"> Fedora-directory-usersredhat.com > ;   <mailto: Fedora-directory-usersredhat.com">Fedora-directory-usersredhat.com> >  ; > https://www.redhat.com/mailman/listinfo/fedora-directory-users > ; > > >   -- >    Fedora-directory-users mailing list >  ; Fedora-directory-usersredhat.com">Fedora-directory-usersredhat.com >    <mailto: Fedora-directory-usersredhat.com">Fedora-directory-usersredhat.com> >  ; https://www.redhat.com/mailman/listinfo/fedora-directory-users > ; <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > >; > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-usersredhat.com">Fedora-directory-usersredhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -- Fedora-directory-users mailing list Fedora-directory-usersredhat.com">Fedora-directory-usersredhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users

[1-5]

about | contact Other archives ( Real Estate discussion Medical topics )