On 02/24/2014 10:47 PM, Noriko Hosoi wrote:
Rich Megginson wrote:
On 02/24/2014 09:00 AM, thierry bordaz wrote:
Hello,
IPA team filled this ticket
https://fedorahosted.org/389/ticket/47553.
It requires an ACI improvement so that during a MODDN a given
user is only allowed to move an entry from one specified part of
the DIT to an other specified part of the DIT. This without the
need to grant the ADD permission.
Here is the design of what could be implemented to support this
need
http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation
regards
thierry
Since this not related to any Red Hat internal or customer
information, we should move this discussion to the 389-devel list.
Hi Thierry,
Your design looks good. A minor question. The doc does not mention
about "deny". For instance, in your example DIT, can I allow
"moddn_to" and "moddn_from" on the top "dc=example,dc=com" and deny
them on "cn=tests". Then, I can move an entry between cn=accounts and
staging, but not to/from cn=tests? Or "deny" is not supposed to use
there?
Thanks,
--noriko
Hi Noriko,
Thanks for having looked at the document. You are right, I missed to
document how 'DENY' aci would work.
I updated the design
http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation#ACI_allow.2Fdeny_rights
to indicate how a DENY rights could be used.
By default if there is no ACI granting 'allow', the operation is
rejected. So in that case, without ACI applicable on 'cn=tests', MODDN
to/from 'cn=tests' will not be authorized.
Adding a DENY to target 'cn=tests' would also work but I think it is not
required.
In the example I added, the 'ALLOW' right is granted to a tree
(cn=accounts,SUFFIX) except to a subtree of it
(cn=except,cn=accounts,SUFFIX)
regards
thierry
--
389-devel mailing list
389-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel
--
389-devel mailing list
389-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel