[Fedora-directory-users] roles and access control

Rich Megginson rmeggins at redhat.com
Tue Jun 14 21:56:54 UTC 2005


Gary Mann wrote:

>
> a question:  we have a requirement where only users that have a role 
> are able to see role membership.  so if i have role A, i can see the 
> membership for role A (search on nsRole=<roleA>) but cannot 
> necessarily see role B members, etc.  the same restriction applies 
> when pulling the nsRole attribute.
>
> is there any way (via aci) to support this?  i've implemented a plugin 
> (actually 2 - a computed attribute and preop) that supports this but 
> wanted to make sure that i wasn't missing something in aci setup that 
> would accomplish the same thing.

Perhaps by using a targetfilter?  e.g. assuming the role definition 
entry is cn=MyRole,ou=people,dc=example,dc=com
dn: ou=people,dc=example,dc=com
...
aci: (targetattr="uid || 
cn")(targetfilter="(nsRole=cn=MyRole,ou=people,dc=example,dc=com)")(version 
3.0; acl "Allow people to see other role members"; allow (read, search, 
compare) roledn = "ldap:///cn=MyRole,ou=people,dc=example,dc=com";)

This allows people who are a member of MyRole to see the attributes uid 
and cn in any entry under ou=people which matches nsRole=cn=myRole,.... 
(i.e. any entry which belongs to that role).

I haven't tried it out but this or something like this should work.

See here for more info 
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997355

>
> Thanks,
> Gary
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050614/5a496f91/attachment.bin>


More information about the Fedora-directory-users mailing list