Rob Crittenden wrote:
David O'Brien wrote:
Rob Crittenden wrote:
I added some more documentation and examples to the aci plugin on
Running behind with reviews, sorry. Just a few minor fixes:
s/"This is primarily meant to be able to allow users to add/remove
members of a specific group only."/"This is primarily designed to enable
users to add or remove members of a specific group."
(I _think_ I understood that ok, and didn't change the meaning. Further,
if this target is only designed for this purpose, you don't need
"primarily". If it does something else, what is it?)
I couldn't grok 100% the "subtree" target description.
s/"... the ACI is allowed to do, they are one or more of:"/"... the ACI
is allowed to do, and are one or more of:"
For consistency's sake, s/lets/allows/ etc. Also see below:
allows members of the "addusers" taskgroup
lets members of the editors... group?
lets members of the admin group
You might need to review the examples a bit.
Ok, the right updated patch this time.
>From 0e32a5c12c79384d5f22c69474f45112ae2c6def Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 2 Dec 2010 13:25:00 -0500
Subject: [PATCH] Add more information and examples on targets.
ipalib/plugins/aci.py | 39 +++++++++++++++++++++++++++++++++------
1 files changed, 33 insertions(+), 6 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index c0f47e3..acb6121 100644
@@ -47,11 +47,23 @@ An ACI consists of three parts:
3. bind rules
The target is a set of rules that define which LDAP objects are being
-targetted. This can include a list of attributes, an area of that LDAP
+targeted. This can include a list of attributes, an area of that LDAP
tree or an LDAP filter.
-The permissions define what the ACI is allowed to do, they are one or more
+The targets include:
+- attrs: list of attributes affected
+- type: an object type (user, group, host, service, etc)
+- memberof: members of a group
+- targetgroup: grant access to modify a specific group. This is primarily
+ designed to enable users to add or remove members of a specific group.
+- filter: A legal LDAP filter used to narrow the scope of the target.
+- subtree: Used to apply a rule across an entire set of objects. For example,
+ to allow adding users you need to grant "add" permission to the subtree
+ ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option
+ is a fail-safe for objects that may not be covered by the type option.
+The permissions define what the the ACI is allowed to do, and are one or
1. write - write one or more attributes
2. read - read one or more attributes
3. add - add a new entry to the tree
@@ -71,18 +83,33 @@ http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.htm
+NOTE: ACIs are now added via the permision plugin. These examples are to
+demonstrate how the various options work but this is done via the permission
+command-line now (see last example).
Add an ACI so that the group "secretaries" can update the address on any user:
+ ipa group-add --desc="Office secretaries" secretaries
ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write "Secretaries write addresses"
Show the new ACI:
ipa aci-show "Secretaries write addresses"
- Add an ACI that allows members of the "addusers" taskgroup to add new users:
- ipa aci-add --type=user --taskgroup=addusers --permissions=add "Add new users"
+ Add an ACI that allows members of the "addusers" permission to add new users:
+ ipa aci-add --type=user --permission=addusers --permissions=add "Add new users"
- Add an ACI that lets members of the edotors manage members of the admins group:
+ Add an ACI that allows members of the editors manage members of the admins group:
ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors "Editors manage admins"
+ Add an ACI that allows members of the admin group manage the street and zipcode of those in the editors group:
+ ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode "admins edit address of editors"
+ Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss:
+ ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" "Edit the address of those who work for the boss"
+ Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission:
+ ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange
The show command shows the raw 389-ds ACI.
IMPORTANT: When modifying the target attributes of an existing ACI you
Freeipa-devel mailing list