DS Authorization

From Dogtag
Revision as of 00:53, 12 July 2019 by Edewata (talk | contribs) (Setting ACI)

Jump to: navigation, search

Access Control Instruction

ACI is defined in directory entry:

dn: ...
...
aci: (target_rule)(version 3.0; acl "ACL_name"; permission_rule bind_rules;)

Target Rules

Syntax:

keyword comparison_operator "expression"

Examples:

Description Target Rule
Subtree target = "ldap:///dc=example,dc=com"
Wildcard target = "ldap:///uid=*,dc=example,dc=com"
Specific attribute targetattr = "userPassword"
Search filter targetfilter = "(uid=*)"

See also:

Permissions

Syntax:

permission (rights)

Examples:

Description Permission
Granting rights allow (search, read)
Denying rights deny (write)

See also:

Bind Rules

Syntax:

keyword comparison_operator "expression"

Examples:

Description Bind Rule
Anonymous users userdn = "ldap:///anyone"
Authenticated users userdn = "ldap:///all"
Self userdn = "ldap:///self"
Children userdn = "ldap:///parent"
Specific user userdn = "ldap:///uid=admin,ou=people,dc=example,dc=com"
User filter userdn = "ldap:///ou=people,dc=example,dc=com??sub?(department=Engineering)"
Group members groupdn = "ldap:///cn=admins,ou=groups,dc=example,dc=com"
Group filter groupdn = "ldap:///ou=groups,dc=example,dc=com??sub?(department=Engineering)"

See also:

Setting ACI

$ ldapmodify -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=example,dc=com
changetype: modify
replace: aci
aci: (target = "ldap:///dc=example,dc=com")(version 3.0; acl "Allow anyone to read and search"; allow (search, read) userdn = "ldap:///anyone";)
EOF

Instance ACIs

dn: cn=ldbm database,cn=plugins,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "Cert Manager access for VLV searches"; allow (read) userdn="ldap:///{dbuser}";)

dn: cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager read access"; allow (read, search, compare) userdn = "ldap:///{dbuser}";)

dn: ou=csusers,cn=config
changetype: modify
add: aci
aci: (targetattr != aci)(version 3.0; aci "cert manager manage replication users"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn=tasks,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager: Run tasks after replica re-initialization"; allow (add) userdn = "ldap:///{dbuser}";)

Subsystem ACIs

dn: {rootSuffix}
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0; acl "cert manager access v2"; allow (all) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(version 3.0;acl "cert manager: Add Replication Agreements";allow (add) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "cert manager: Modify Replication Agreements"; allow (read, write, search) userdn = "ldap:///{dbuser}";)

dn: cn="{rootSuffix}",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "cert manager: Remove Replication Agreements";allow (delete) userdn = "ldap:///{dbuser}";)

See Also