On 05/17/2012 09:34 AM, Rob Crittenden wrote: > ... > > The ACIs need a little bit of work. The name of the aci needs to > match the name of the ACI that permission is being granted to, with a > prefix of permission:. So it should look more like: > > aci: (targetattr = "attribute1 || attribute2 || attribute3") > (version 3.0; acl "permission:Read custom attributes"; deny (all) > (userdn = "ldap:///anyone"; and userdn != "ldap:///self"; and groupdn > != "ldap:///cn=Read custom > attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) > > For the second ACI you don't need add and delete, those are > entry-level permissions. You might want to add compare though. > > We also tend to separate things you can do to your own entry from > things you can do to others. So we would break this out into some > selfservice ACIs and permission ACIs. Not saying what you're doing > won't work. > > rob
BTW, what's the origin of the naming restrictions? Is it an IPA thing? Here are my updated ACIs: <pre> dn: dc=sesda2,dc=com changetype: modify add: aci aci: (targetattr = "privateAttribute1 || privateAttribute2 || privateAttribute3 || privateAttribute4") (version 3.0; acl "permission:Read custom attributes"; deny (all) (userdn = "ldap:///anyone"; and groupdn != "ldap:///cn=Read custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com");) dn: dc=sesda2,dc=com changetype: modify add: aci aci: (targetattr = "privateAttribute1 || privateAttribute2") (version 3.0; acl "permission:Does this need a special name?"; allow (read, search, compare) userdn = "ldap:///self";;) dn: dc=sesda2,dc=com changetype: modify add: aci aci: (targetattr = "privateAttribute1 || privateAttribute2 || privateAttribute3 || privateAttribute4") (version 3.0; acl "permission:Manage custom attributes"; allow (read, write, search, compare) groupdn = "ldap:///cn=Manage custom attributes,cn=permissions,cn=pbac,dc=sesda2,dc=com";) </pre> ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
