On 11/27/18 7:24 PM, Alistair Cunningham wrote:
I've added these acis, but a telephone (with objectClass 'person') in
tenant1 can still see people (with objectClass 'inetOrgPerson') in
tenant2. Presumably there needs to also be a blanket aci to forbid all
telephones from viewing other tenants, that these tenant-specific
allow acis then override?
There might be an aci that is allowing anonymous access to basic
entries. By default if there are no ACI's then access is completely
blocked except for Directory Manager. So some aci is allowing access.
We need to see all the ACI's you have:
For example, this would list all the aci's under dc=example,dc=com:
# ldapsearch -D "cn=directory manager" -W -b "dc=example,dc=com" aci=* aci
I suspect there is an aci with a userdn that equals "anyone", but we'll
see...
On 27/11/2018 10:31, Olivier JUDITH wrote:
Hi,
Give IT a try. It should work
aci:
(target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version
3.0;acl "aci1";allow (read,search)
userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;)
aci:
(target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version
3.0;acl "aci2";allow (read,search)
userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;)
Let me know
Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham
<acunning...@integrics.com <mailto:acunning...@integrics.com>> a écrit :
On 26/11/2018 18:59, Olivier JUDITH wrote:
> Hi,
>
> I'm using the Redhat documentation on this link
>
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index
That looks rather complex. It's a real shame that there's no way of
limiting users to the same ou using a regular expression ACL.
> Regards
>
> lun. 26 nov. 2018 à 05:46, Alistair Cunningham
> <acunning...@integrics.com <mailto:acunning...@integrics.com>
<mailto:acunning...@integrics.com
<mailto:acunning...@integrics.com>>> a écrit :
>
> On 25/11/2018 11:44, Olivier JUDITH wrote:
> > From my point of view , the easiest way to solve this is
to set
> a search filter on the OU corresponding to the tenant on each
phone.
> > Can you modify the software on the phone ?
>
> Unfortunately not. The telephone handset firmware is written
by various
> third parties, and we have no access to it.
>
> This would also be insecure. Anyone with the username and
password of a
> telephone and who could use an LDAP client such as LDAP
search could
> bypass the filter to see all the users in all the tenants
(i.e.
> every ou).
>
> > The other way could be by creating a 389 plugin that
add a
> filter on the good OU regarding the DN of user which make the
call
> to the ldap.
>
> That might be an option. Do you know where I can find
documentation on
> how to do this?
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
> To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org
<mailto:389-users-le...@lists.fedoraproject.org>
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
-- Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org
<mailto:389-users-le...@lists.fedoraproject.org>
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
