[Freeipa-users] 389-ds to free-ipa transition; transparent?

Rich Megginson rmeggins at redhat.com
Thu Sep 2 23:20:18 UTC 2010 

Brian LaMere wrote:
>
>     The ACIs are defined inside the underlaying Directory Server. See
>     details and syntax are here
>     http://directory.fedoraproject.org/wiki/Howto:AccessControl
>     The ACIs as you see can be group based. One does not need a
>     hierarchical
>     "ou" user structure in the DS for ACIs  - just groups. So all the
>     users
>     live in one container without any hierarchy.  All the hierarchy can be
>     accomplished by creating a combination of nested groups. Groups
>     live in
>     another container but on the same level. This is what we mean by "flat
>     tree".
>
>
> well, problem is that I want project managers to be able to create 
> customers within ou=customers...how does a flat DIT allow 
> otherwise unprivileged users the ability to create entries?  Note that 
> most of my directory won't be people or groups, but objects that 
> define things that tools then access for monitoring, 
> extending/expanding services, etc.  I could always create aci's that 
> allow particular groups to create entries with only a certain set of 
> attributeTypes and objectclasses, but in some cases those customers 
> should show up as valid users on a machine; "id customername" should 
> respond with stuff.  If the answer is that I'm not creative enough to 
> imagine how to restrict based on something other than ACIs on an ou, 
> then I suppose that's the answer ;)  If that's the case then I'll just 
> have to find the time to do an install, load my schema, and test to 
> see if everything I want to happen can be made to happen, and 
> everything I don't want to happen can be made to not happen.
389 access control is pretty powerful and flexible.  There's usually a 
way to do what you want to do without having to resort to using subtrees 
(as in AD).
http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html
>
> Thanks,
> Brian LaMere
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list