[389-users] Re: ACI help

2017-09-11 Thread William Brown 
On Mon, 2017-09-11 at 09:30 -0300, Alberto Viana wrote:
> Ludwig/William,
> 
> *As a follow up, please don't use targetattr!=userPassword. This exposes*
> *a *lot* of internal system attributes to the user object in question.*
> *It's much better if you limit this to just the attributes required like:*
> 
> *=> * Thanks for the tip, I will do that.
> 
> 
> *So I just have a wild guess. I think you anonymized the aci for this post
> using "test-user" and "dc=my,dc=domain". could you verify that you haven't
> a typo in the real aci for the userdn ?*
> 
> *=> *You were right, there was a typo in my userdn, now everything is
> working as expected.
> 
> 
> Thanks a lot for you both.

Glad that you solved it, and that it's all working! Happy to help out,

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane



signature.asc
Description: This is a digitally signed message part
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: ACI help

2017-09-11 Thread Alberto Viana 
Ludwig/William,

*As a follow up, please don't use targetattr!=userPassword. This exposes*
*a *lot* of internal system attributes to the user object in question.*
*It's much better if you limit this to just the attributes required like:*

*=> * Thanks for the tip, I will do that.


*So I just have a wild guess. I think you anonymized the aci for this post
using "test-user" and "dc=my,dc=domain". could you verify that you haven't
a typo in the real aci for the userdn ?*

*=> *You were right, there was a typo in my userdn, now everything is
working as expected.


Thanks a lot for you both.


Cheers,

Alberto Viana

On Thu, Sep 7, 2017 at 5:30 AM, Ludwig Krispenz  wrote:

>
> On 09/07/2017 02:25 AM, William Brown wrote:
>
> On Wed, 2017-09-06 at 16:55 -0300, Alberto Viana wrote:
>
> Hi Folks,
>
> 389-Directory/1.3.7.3.20170901gite67788a B2017.244.1727
>
> I'm trying to give a specific read/search/compare permissions to an user in
> a sub OU in my tree.
>
> I deleted the default ACI "anonymous access" (For tests purposes)
>
> I'm tried the following ACIs:
>
> OU scope:
>
> dn: OU=pop-ac,ou=pops,dc=my,dc=domain
> changetype: modify
> add: aci
> aci: (targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC
> Permissions";allow (read,search,compare)
> userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain;;)
>
> Log:
> 06/Sep/2017:16:15:32.427750186 -0300] - DEBUG - NSACLPlugin -
> print_access_control_summary - conn=47 op=1 (main): Deny search on
> entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass)
> to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the
> subject by aci(242): aciname= "SIE Group", acidn="dc=my,dc=domain"
>
> => SIE Group is one of the default 389 ACIs.
>
> or
>
> Whole domain scope:
>
> dn: dc=my,dc=domain
> changetype: modify
> add: aci
> aci:
> (target="ldap:///OU=pop-ac,ou=pops,dc=my,dc=domain;)(targetattr!="userPassword")
> (version 3.0;acl "All attributes PoP-AC Permissions";allow
> (read,search,compare)
> userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain;;)
>
>
> Log:
> [06/Sep/2017:16:41:33.824679480 -0300] - DEBUG - NSACLPlugin -
> print_access_control_summary - conn=50 op=1 (main): Deny search on
> entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass)
> to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the
> subject by aci(253): aciname= "All attributes PoP-AC Permissions",
> acidn="dc=my,dc=domain"
>
>
>
> What I need: An user that has no other rights on my tree to read/search all
> attributes/users on an specific OU.
>
> Is that possible? What am I missing?
>
> So the aci guide is really long: we've been working to improve it lately
> to help with common aci questions like this so this is a great place to
> start:
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control
>
>
> So the aci you have here:
>
>
> dn: OU=pop-ac,ou=pops,dc=my,dc=domain
> changetype: modify
> add: aci
> aci: (targetattr!="userPassword") (version 3.0;acl "All attributes
>
> PoP-AC
>
> Permissions";allow (read,search,compare)
> userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain;;)
>
> Should be the correct one.
>
> it is, and it works for me. The ( ) around the bind rule are not required.
>
> So I just have a wild guess. I think you anonymized the aci for this post
> using "test-user" and "dc=my,dc=domain". could you verify that you haven't
> a typo in the real aci for the userdn ?
>
> My guess is the that the aci should be:
>
> (targetattr!="userPassword")(version 3.0;acl "All attributes PoP-AC
> Permissions"; allow
> (read,search,compare)(userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain;);)
>
> The change is the parens around the userdn.
>
> This should be on the OU=pop-ac,ou=pops,dc=my,dc=domain object.
>
> As well, you may need to start your query basedn at
> OU=pop-ac,ou=pops,dc=my,dc=domain rather than dc=my,dc=domain too.
>
>
>
> As a follow up, please don't use targetattr!=userPassword. This exposes
> a *lot* of internal system attributes to the user object in question.
> It's much better if you limit this to just the attributes required like:
>
> aci: (targetattr="objectClass || nsUniqueId || uid || displayName ||
> loginShel
>  l || uidNumber || gidNumber || gecos || homeDirectory || givenName ||
> cn || m
>  emberOf || mail || sshPublicKey || nsAccountLock ||
> userCertificate")( target
>  ="ldap:///uid=*,ou=People,dc=blackhats,dc=net,dc=au;
> )(targetfilter="(&(objec
>
> tClass=account)(objectClass=person)(objectClass=posixaccount))")(version
> 3.0;
>   acl "Enable anonymous partial user read"; allow (read, search,
> compare)(user
>  dn="ldap:///anyone;);)
>
> Hope that helps a little bit.
>
>
>
> Thanks
>
> Cheers,
>
> Alberto Viana
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an