Hi everybody,

I've added some custom schema to my directory, but it's useless to me if
if I can't control read permissions on it.  This is obviously a little
tricky since (Free)IPA allows everybody to ready everything by default.
 With that, what's the best way to restrict access to user attributes?
Is there anything like this in the roadmap?

For the interim I've crafted some custom aci entries.  Where should I
put them?  Will they work?  Here they are:

> aci: (targetattr =
>   "attribute1 ||
>   attribute2 ||
>   attribute3")
>  (version 3.0; acl "custom attributes base"; deny (all)
>   (userdn = "ldap:///anyone"; and
>   userdn != "ldap:///self"; and
>   groupdn != "ldap:///cn=Read custom 
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)
> 
> aci: (targetattr =
>   "attribute1 ||
>   attribute2 ||
>   attribute3")
>  (version 3.0; acl "custom attributes update"; allow (add, read, write, 
> search, delete)
>   (userdn = "ldap:///self"; or
>   groupdn = "ldap:///cn=Manage custom 
> attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");)


-- 
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to