On 17/2/20 1:24 pm, William Brown wrote:
>
>> On 17 Feb 2020, at 12:19, Grant Byers <grant.by...@aarnet.edu.au> wrote:
>>
>> Hi,
>>
>> In an effort to tighten search and read permissions on our internal
>> directory server, we've limited accounts to read certain attributes of
>> "self". They have search on the entire tree, but otherwise no read
>> perms. This is all well and good for clients that utilize the memberOf
>> attribute of self, but not so good for applications that utilize
>> memberUid, or insist on searching for groupOfUniqueNames or
>> groupOfNames then enumerating them programmatically to determine which
>> groups the user belongs to after binding as the user.
>>
>> So. I've been reading docs and haven't been able to find anything, but I
>> was wanting to do something like this;
>>
>>
>> dn: ou=groups,dc=example,dc=com
>> aci: (targetattr = "*")
>> (targetfilter = "(&(objectClass=groupOfUniqueNames)(uniqueMember={{rdn
>> of self}})")
>> (version 3.0; acl "Allow authenticated users to read own group
>> membership"; allow (read,compare,search)
>> (userdn="ldap:///all";);)
>>
>>
>> where the target filter limits results to only those that match
>> uniqueMember={{rdn of self}}
>>
>>
>> Is this possible?
> Yes, but I'd suggest you tighten it up a bit. targetattr = * is really
> dangerous, it really means everything, including internal system attributes.
>
> You probably want "(targetattr = "objectClass || uniquemember || cn ||
> memberUid || member || memberOf")(targetfilter = "....")
>
> There is a section in the redhat ds guide that may help a lot
>
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control
>
> In general, keep your aci's as targeted and as specific as possible.
>
> I'm very happy to review these further if you need :)
For sure, I'll definitely be restricting attributes (as I have done with
other targeted ACIs). I'm working toward least privilege.
I've reviewed that doco multiple times now, but still don't see how this
is possible. I must be missing something! I assume it has to be
targetfilter. Am I to do something like this?
(targetfilter =
"(&(objectClass=groupOfUniqueNames)(uniqueMember=ldap:///self?dn)")
Thanks,
Grant
>>
>> Thanks,
>> Grant
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
