Got it..
(userattr = "uniqueMember#USERDN")
Thanks!
On 17/2/20 2:02 pm, Grant Byers wrote:
> On 17/2/20 1:24 pm, William Brown wrote:
>>> On 17 Feb 2020, at 12:19, Grant Byers <grant.by...@aarnet.edu.au> wrote:
>>>
>>> Hi,
>>>
>>> In an effort to tighten search and read permissions on our internal
>>> directory server, we've limited accounts to read certain attributes of
>>> "self". They have search on the entire tree, but otherwise no read
>>> perms. This is all well and good for clients that utilize the memberOf
>>> attribute of self, but not so good for applications that utilize
>>> memberUid, or insist on searching for groupOfUniqueNames or
>>> groupOfNames then enumerating them programmatically to determine which
>>> groups the user belongs to after binding as the user.
>>>
>>> So. I've been reading docs and haven't been able to find anything, but I
>>> was wanting to do something like this;
>>>
>>>
>>> dn: ou=groups,dc=example,dc=com
>>> aci: (targetattr = "*")
>>> (targetfilter = "(&(objectClass=groupOfUniqueNames)(uniqueMember={{rdn
>>> of self}})")
>>> (version 3.0; acl "Allow authenticated users to read own group
>>> membership"; allow (read,compare,search)
>>> (userdn="ldap:///all";);)
>>>
>>>
>>> where the target filter limits results to only those that match
>>> uniqueMember={{rdn of self}}
>>>
>>>
>>> Is this possible?
>> Yes, but I'd suggest you tighten it up a bit. targetattr = * is really
>> dangerous, it really means everything, including internal system attributes.
>>
>> You probably want "(targetattr = "objectClass || uniquemember || cn ||
>> memberUid || member || memberOf")(targetfilter = "....")
>>
>> There is a section in the redhat ds guide that may help a lot
>>
>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control
>>
>> In general, keep your aci's as targeted and as specific as possible.
>>
>> I'm very happy to review these further if you need :)
>
> For sure, I'll definitely be restricting attributes (as I have done with
> other targeted ACIs). I'm working toward least privilege.
>
>
> I've reviewed that doco multiple times now, but still don't see how this
> is possible. I must be missing something! I assume it has to be
> targetfilter. Am I to do something like this?
>
>
> (targetfilter =
> "(&(objectClass=groupOfUniqueNames)(uniqueMember=ldap:///self?dn)")
>
>
> Thanks,
>
> Grant
>
>
>>> Thanks,
>>> Grant
>>> _______________________________________________
>>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> —
>> Sincerely,
>>
>> William Brown
>>
>> Senior Software Engineer, 389 Directory Server
>> SUSE Labs
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
