Re: [389-devel] Design review: Access control on entries specified in MODDN operation (ticket 47553)

Tue, 25 Feb 2014 06:39:13 -0800 

On 02/24/2014 11:35 PM, Rich Megginson wrote:

On 02/24/2014 02:47 PM, Noriko Hosoi wrote:

Rich Megginson wrote:

On 02/24/2014 09:00 AM, thierry bordaz wrote:

Hello,

    IPA team filled this ticket
    https://fedorahosted.org/389/ticket/47553.

    It requires an ACI improvement so that during a MODDN a given
    user is only allowed to move an entry from one specified part
    of the DIT to an other specified part of the DIT. This without
    the need to grant the ADD permission.

    Here is the design of what could be implemented to support this
    need
    http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation

    regards
    thierry
Since this not related to any Red Hat internal or customer information, we should move this discussion to the 389-devel list. 


Hi Thierry,
Your design looks good. A minor question. The doc does not mention about "deny". For instance, in your example DIT, can I allow "moddn_to" and "moddn_from" on the top "dc=example,dc=com" and deny them on "cn=tests". Then, I can move an entry between cn=accounts and staging, but not to/from cn=tests? Or "deny" is not supposed to use there? 

In which entry do you set these ACIs?

Do you set
aci: (target="ldap:///cn=staging,dc=example,dc=com";)(version 3.0; acl "MODDN from"; allow (moddn_from)) 
 userdn="ldap:///uid=admin_accounts,dc=example,dc=com"; ;)
in the cn=accounts,dc=example,dc=com entry?

Do you set
aci: (target="ldap:///cn=accounts,dc=example,dc=com";)(version 3.0; acl "MODDN to"; allow (moddn_to)) 
 userdn="ldap:///uid=admin_accounts,dc=example,dc=com"; ;)
in the cn=staging,dc=example,dc=com entry?



Hi Rich,

   Yes that is correct, I forgot to mention where those aci are stored.

   They can be defined  at upper level but with a target rule that
   restrict the scope to the desire subtree, or they can be set
   directly at the subtree level without target rule.

   I updated the document to better describe that
   
http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation#ACI_scope_and_targets

   In that case we want to only allow a given user to move entries from
   staging to production (accounts). My preferred solution would be to add:

     * moddn_from at the entry cn=staging,dc=example,dc=com (without
       target rule)
     * moddn_to at the entry cn=accounts,dc=example,dc=com (without
       target rule).

regards
thierrry



Thanks,
--noriko




--
389-devel mailing list
389-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel




--
389-devel mailing list
389-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel



--
389-devel mailing list
389-de...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-devel

Reply via email to