[389-users] Client ACI question

Tue, 01 Jan 2013 23:18:26 -0800 

Hi,
I have read various documents (including Redhat ones) about ACI implementation. But still the following basic scenario confuses me. 

* anonymous bind disabled

* each client server is authenticated with a unique username (e.g. 
"ou=ServerUsers,dc=domain,dc=com")


* "ou=Projects,dc=domain,dc=com" holds confidential data
==>

"uid=serveruser1,ou=ServerUsers,dc=domain,dc=com" should only be able to 
see one or several entries under "ou=Projects,dc=domain,dc=com"



QUESTION: in order to minimize amount of ACIs, how should I setup the 
described situation?

I have come up with the following options:

1. allow/deny

What is the correct way to use allow/deny because if I use default deny 
on ou=Projects..., it overrides allows.


2. custom attribute
Add a custom attribute somewhere and use that for ACI?


I could use some concrete examples. I couldn't find any relevant guides 
or I'm just blind. :) Thanks for help.


-Matti
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users





















					Reply via email to