> On 4 Feb 2021, at 22:23, Pierre Rogier <prog...@redhat.com> wrote: > > Hi Nicolas, > > The documentation does not say that wildcard is supported in groupdn > evaluation and I have not seen anything in the code that handles it. > IMHO The comment about group dn filter is a bit confusing: > the only place it is supported while evaluating groupdn is within the > (filter) part when using the full ldap url notation (dn??scope?(filter)) but > that is not really a wildcard but a substring or a presence ldap > filter . > And I do not see how it could be implemented efficiently because > it would mean that either all groups are checked or that > something similar to the ismemberof plugin is used > (and that is neither scalable nor efficient). > Note: for user dn things are easier because there is a single bind dn (and > we can easily check if it matches). >
<Snip> > > >> > >> I'm not an English native speaker, so please forgive me if there's > >> mistakes in this e-mail. > >> > >> OS : Fedora 30 > >> 389ds version / build number : 1.4.1.14 / 2020.023.2226 > >> > >> I'm struggling with ACI and despite hours of documentation reading, I > >> don't understand how to make it work as I want. > >> > >> Basic directory structure > >> ================== > >> dc=domain,dc=tld > >> | > >> +---ou=Servers > >> | > >> +---cn=proxy <---- here is where I add the ACI > >> | > >> +---cn=group1 > >> | > >> +---cn=group2 > >> =================== > >> Container "proxy" is a "iphost" object. > >> A way to achieve this is with the memberOf plugin. Then you enable memberOf plugin on your system. This means that members Of cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld would have that set into their account such as: dn: uid=william,ou=people,dc=domain,dc=tld ... memberOf: cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld Then you can use: A way to achieve this is to create a single group that has the access you want, say cn=proxy_allowed,ou=permissions,dc=domain,dc=tld. Then you grant that your read access: (targetattr = "*") (target = "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld";) (version 3.0;acl "Allow only groups members to query this object";allow (all) (userdn = "ldap:///ou=People,dc=domain,dc=tld??sub??(memberOf=cn=*,cn=proxy,ou=Servers,dc=domain,dc=tld)") ;) I haven't tried this my self, but it should work. You'll need to make sure there is a substring index on memberOf. — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
