On Mar 6, 2014, at 11:32 AM, Ludwig Krispenz <[email protected]> wrote:
> > On 03/04/2014 11:10 PM, Morgan Jones wrote: >> >> >> On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz <[email protected]> wrote: >> >>>>> Are groups involved in the acis and do these groups during these runs ? >>>> Yes, most of our ACIs use groups to determine access. I'm not sure I >>>> understand the second part of your question though. >>> you can't, it was incomplete. I wanted to know if these groups are modified >>> during the runs when you see the failure. >>>> I do suspect this has something to do with access control though as it's >>>> behaving exactly like the user is denied by the ACIs. >> No, groups were not modified. They are relatively small as we're still >> migrating to this environment--maybe 10-15 DNs per group and they're only >> modified when we add/remove privileged accounts which isn't very often. >> >>>>> Could you post your acis ? >>>> Probably. I'm working on permission to do so. >> The compromise I came to with my management and security team is to >> obfuscate the ACIs such that the attribute counts and structure are intact >> but the names are changed. Is the below useful? > yes, but II can't see anything wrong with the acis. Thanks for your input on the ACIs. > One more question. Do the searches always match only one entry or one they > should see and some they shouldn't ? In every case where we've seen this problem it's a search for one entry (uid=username) that the bind dn is able to see. Thanks for your input, we're working on repeating it reliably in 389. >> >> # Employee LDAP Access Control >> # >> dn: dc=domain,dc=org >> changetype: modify >> replace: aci >> # >> aci: (target = "ldap:///ou=employees,dc=domain,dc=org";) >> (targetattr = "userpassword") >> (version 3.0; acl "limited user self write"; >> allow (write) userdn = "ldap:///self";;) >> # >> aci: (target = "ldap:///dc=domain,dc=org"; ) >> (targetfilter = >> "(|(objectclass=orgAssociate)(objectclass=orgEmployee)(objectclass=domain) >> >> (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))") >> (targetattr = "attr1 || attr2 || ... || attr40") >> (version 3.0; acl "general access, replaces anonymous access"; >> allow (read, search, compare) >> (userdn = "ldap:///self";) or >> (groupdn = "ldap:///cn=orgGroup1,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup3,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";) >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org"; ) >> (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain) >> >> (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))") >> (targetattr = "attr1 || attr2 || ... || attr40 ") >> (version 3.0; acl "general access, replaces anonymous access"; >> allow (read, search, compare) >> (userdn = "ldap:///self";) or >> (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";) >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org";) >> (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain) >> >> (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=orgServiceAccount)(objectclass=orgOrgAccount))") >> (targetattr = "attr1 || attr2 || ... || attr40") >> (version 3.0; acl "general access plus service and organizational accounts"; >> allow (read, search, compare) >> (userdn = "ldap:///self";) or >> (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";) >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org";)(targetattr = "attr1 || >> attr2 || ... || attr30") >> (version 3.0; acl "limited read access to non-public attributes for >> delegated admins"; >> allow (read, search, compare) >> (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or >> (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";) >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org";) >> (targetattr = "attr1 || attr2 || ... || attr28") >> (version 3.0; acl "limited write access for delegated admins"; >> allow (write) groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";;) >> # >> aci: (target = "ldap:///dc=domain,dc=org";) >> (targetattr = "*")(version 3.0; acl "full access for delegated admins"; >> allow (all) groupdn = "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";;) >> # >> aci: (target = "ldap:///dc=domain,dc=org";) >> (targetfilter="(memberof=cn=orgGroup6,ou=Groups,dc=domain,dc=org)") >> (targetattr="userpassword") >> (version 3.0; acl "deny non-admin user write access to admin users' >> passwords"; >> deny (all) groupdn != "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org"; >> ;) >> # >> aci: (target = "ldap:///dc=domain,dc=org";) >> (targetattr = "attr1 || attr2 || ... || attr19") >> (version 3.0; acl "access to posixaccount attributes for proxyagent"; >> allow (read,search,compare) userdn = >> "ldap:///uid=binddn1,ou=svc_accts,dc=domain,dc=org";;) >> >> thanks, >> >> -morgan >> >> -- >> 389 users mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/389-users > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
