Difference between revisions of "DS Authorization"
From Dogtag
m (→References) |
m (→Setting ACI) |
||
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | == Instance | + | = Access Control Instruction = |
+ | |||
+ | ACI is defined in directory entry: | ||
+ | |||
+ | <pre> | ||
+ | dn: ... | ||
+ | ... | ||
+ | aci: (target_rule)(version 3.0; acl "ACL_name"; permission_rule bind_rules;) | ||
+ | </pre> | ||
+ | |||
+ | == Target Rules == | ||
+ | |||
+ | Syntax: | ||
+ | |||
+ | <pre> | ||
+ | keyword comparison_operator "expression" | ||
+ | </pre> | ||
+ | |||
+ | Examples: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Description | ||
+ | ! Target Rule | ||
+ | |- | ||
+ | | Subtree | ||
+ | | target = "ldap:///dc=example,dc=com" | ||
+ | |- | ||
+ | | Wildcard | ||
+ | | target = "ldap:///uid=*,dc=example,dc=com" | ||
+ | |- | ||
+ | | Specific attribute | ||
+ | | targetattr = "userPassword" | ||
+ | |- | ||
+ | | Search filter | ||
+ | | targetfilter = "(uid=*)" | ||
+ | |} | ||
+ | |||
+ | See also: | ||
+ | * [https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/administration_guide/index#defining_targets Defining Targets] | ||
+ | |||
+ | == Permissions == | ||
+ | |||
+ | Syntax: | ||
+ | |||
+ | <pre> | ||
+ | permission (rights) | ||
+ | </pre> | ||
+ | |||
+ | Examples: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Description | ||
+ | ! Permission | ||
+ | |- | ||
+ | | Granting rights | ||
+ | | allow (search, read) | ||
+ | |- | ||
+ | | Denying rights | ||
+ | | deny (write) | ||
+ | |} | ||
+ | |||
+ | See also: | ||
+ | |||
+ | * [https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/administration_guide/index#defining_permissions Defining Permissions] | ||
+ | |||
+ | == Bind Rules == | ||
+ | |||
+ | Syntax: | ||
+ | |||
+ | <pre> | ||
+ | keyword comparison_operator "expression" | ||
+ | </pre> | ||
+ | |||
+ | Examples: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Description | ||
+ | ! Bind Rule | ||
+ | |- | ||
+ | | Anonymous users | ||
+ | | userdn = "ldap:///anyone" | ||
+ | |- | ||
+ | | Authenticated users | ||
+ | | userdn = "ldap:///all" | ||
+ | |- | ||
+ | | Self | ||
+ | | userdn = "ldap:///self" | ||
+ | |- | ||
+ | | Children | ||
+ | | userdn = "ldap:///parent" | ||
+ | |- | ||
+ | | Specific user | ||
+ | | userdn = "ldap:///uid=admin,ou=people,dc=example,dc=com" | ||
+ | |- | ||
+ | | User filter | ||
+ | | userdn = "ldap:///ou=people,dc=example,dc=com??sub?(department=Engineering)" | ||
+ | |- | ||
+ | | Group members | ||
+ | | groupdn = "ldap:///cn=admins,ou=groups,dc=example,dc=com" | ||
+ | |- | ||
+ | | Group filter | ||
+ | | groupdn = "ldap:///ou=groups,dc=example,dc=com??sub?(department=Engineering)" | ||
+ | |} | ||
+ | |||
+ | See also: | ||
+ | |||
+ | * [https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/administration_guide/index#defining_bind_rules Defining Bind Rules] | ||
+ | |||
+ | = Setting ACI = | ||
+ | |||
+ | <pre> | ||
+ | $ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF | ||
+ | dn: dc=example,dc=com | ||
+ | changetype: modify | ||
+ | replace: aci | ||
+ | aci: (target = "ldap:///dc=example,dc=com")(version 3.0; acl "Allow anyone to read and search"; allow (search, read) userdn = "ldap:///anyone";) | ||
+ | EOF | ||
+ | </pre> | ||
+ | |||
+ | = Instance ACIs = | ||
<pre> | <pre> | ||
Line 23: | Line 142: | ||
</pre> | </pre> | ||
− | + | = Subsystem ACIs = | |
<pre> | <pre> | ||
Line 47: | Line 166: | ||
</pre> | </pre> | ||
− | = | + | = See Also = |
* [[PKI LDAP]] | * [[PKI LDAP]] | ||
+ | * [https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/administration_guide/index#managing_access_control RHDS 10: Managing Access Control] |
Revision as of 00:53, 12 July 2019
Contents
Access Control Instruction
ACI is defined in directory entry:
dn: ... ... aci: (target_rule)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)
Target Rules
Syntax:
keyword comparison_operator "expression"
Examples:
Description | Target Rule |
---|---|
Subtree | target = "ldap:///dc=example,dc=com" |
Wildcard | target = "ldap:///uid=*,dc=example,dc=com" |
Specific attribute | targetattr = "userPassword" |
Search filter | targetfilter = "(uid=*)" |
See also:
Permissions
Syntax:
permission (rights)
Examples:
Description | Permission |
---|---|
Granting rights | allow (search, read) |
Denying rights | deny (write) |
See also:
Bind Rules
Syntax:
keyword comparison_operator "expression"
Examples:
Description | Bind Rule |
---|---|
Anonymous users | userdn = "ldap:///anyone" |
Authenticated users | userdn = "ldap:///all" |
Self | userdn = "ldap:///self" |
Children | userdn = "ldap:///parent" |
Specific user | userdn = "ldap:///uid=admin,ou=people,dc=example,dc=com" |
User filter | userdn = "ldap:///ou=people,dc=example,dc=com??sub?(department=Engineering)" |
Group members | groupdn = "ldap:///cn=admins,ou=groups,dc=example,dc=com" |
Group filter | groupdn = "ldap:///ou=groups,dc=example,dc=com??sub?(department=Engineering)" |
See also:
Setting ACI
$ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF dn: dc=example,dc=com changetype: modify replace: aci aci: (target = "ldap:///dc=example,dc=com")(version 3.0; acl "Allow anyone to read and search"; allow (search, read) userdn = "ldap:///anyone";) EOF
Instance ACIs
dn: cn=ldbm database,cn=plugins,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";) dn: cn=config changetype: modify add: aci aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";) dn: ou=csusers,cn=config changetype: modify add: aci aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";) dn: cn=tasks,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)
Subsystem ACIs
dn: {rootSuffix} changetype: modify add: aci aci: (targetattr=*)(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///{dbuser}";) dn: cn="{rootSuffix}",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";) dn: cn="{rootSuffix}",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";) dn: cn="{rootSuffix}",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)