[389-users] Re: Limiting access to same ou

2018-11-26 Thread Mark Reynolds 


On 11/26/18 8:35 PM, Alistair Cunningham wrote:

On 27/11/2018 12:32, Mark Reynolds wrote:

On 11/26/18 7:44 PM, Alistair Cunningham wrote:

Thank you, I'll give that a go.

On a related topic, do you know why when I try to add a 
simpleSecurityObject, I get a 'attribute "cn" not allowed' error?


$ cat 1234567890.ldif
dn: cn=1234567890,ou=2,dc=integrics,dc=com
objectClass: simpleSecurityObject
userPassword: abcdef
$ ldapadd -x -D "cn=Directory Manager" -w secret -f 1234567890.ldif
adding new entry "cn=1234567890,ou=2,dc=integrics,dc=com"
ldap_add: Object class violation (65)
additional info: attribute "cn" not allowed


I've tried with "uid=1234567890" instead, and it tells me that uid 
is not allowed.
You need an objectclass that allows CN or UID, simpleSecurityObject 
only allows the userpassword attribute


I see, thank you. In that case, what DN should I use instead of 
"cn=1234567890,ou=2,dc=integrics,dc=com" for this 
simpleSecurityObject? If no DN, how do I specify the 
simpleSecurityObject's username?


You should add an objectclass that allows CN (or UID), for example:


dn: cn=1234567890,ou=2,dc=integrics,dc=com
objectclass: top
objectclass: person
objectClass: simpleSecurityObject
userPassword: abcdef
cn: 1234567890


Technically you don't even need simpleSecurityObject, just "person" 
alone will get you the entry that you need.


HTH,

Mark





___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Limiting access to same ou

2018-11-26 Thread Alistair Cunningham 

On 27/11/2018 12:32, Mark Reynolds wrote:

On 11/26/18 7:44 PM, Alistair Cunningham wrote:

Thank you, I'll give that a go.

On a related topic, do you know why when I try to add a 
simpleSecurityObject, I get a 'attribute "cn" not allowed' error?


$ cat 1234567890.ldif
dn: cn=1234567890,ou=2,dc=integrics,dc=com
objectClass: simpleSecurityObject
userPassword: abcdef
$ ldapadd -x -D "cn=Directory Manager" -w secret -f 1234567890.ldif
adding new entry "cn=1234567890,ou=2,dc=integrics,dc=com"
ldap_add: Object class violation (65)
additional info: attribute "cn" not allowed


I've tried with "uid=1234567890" instead, and it tells me that uid is 
not allowed.
You need an objectclass that allows CN or UID, simpleSecurityObject only 
allows the userpassword attribute


I see, thank you. In that case, what DN should I use instead of 
"cn=1234567890,ou=2,dc=integrics,dc=com" for this simpleSecurityObject? 
If no DN, how do I specify the simpleSecurityObject's username?



--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Limiting access to same ou

2018-11-26 Thread Mark Reynolds 


On 11/26/18 7:44 PM, Alistair Cunningham wrote:

Thank you, I'll give that a go.

On a related topic, do you know why when I try to add a 
simpleSecurityObject, I get a 'attribute "cn" not allowed' error?


$ cat 1234567890.ldif
dn: cn=1234567890,ou=2,dc=integrics,dc=com
objectClass: simpleSecurityObject
userPassword: abcdef
$ ldapadd -x -D "cn=Directory Manager" -w secret -f 1234567890.ldif
adding new entry "cn=1234567890,ou=2,dc=integrics,dc=com"
ldap_add: Object class violation (65)
additional info: attribute "cn" not allowed


I've tried with "uid=1234567890" instead, and it tells me that uid is 
not allowed.
You need an objectclass that allows CN or UID, simpleSecurityObject only 
allows the userpassword attribute


On 27/11/2018 10:31, Olivier JUDITH wrote:

Hi,

Give IT a try. It should work
aci: 
(target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version 
3.0;acl "aci1";allow (read,search) 
userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;)
aci: 
(target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version 
3.0;acl "aci2";allow (read,search) 
userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;)


Let me know

Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham 
mailto:acunning...@integrics.com>> a écrit :


    On 26/11/2018 18:59, Olivier JUDITH wrote:
 > Hi,
 >
 > I'm using the Redhat documentation on this link
 >
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index

    That looks rather complex. It's a real shame that there's no way of
    limiting users to the same ou using a regular expression ACL.

 > Regards
 >
 >   lun. 26 nov. 2018 à 05:46, Alistair Cunningham
 > mailto:acunning...@integrics.com>
    >> a écrit :
 >
 >     On 25/11/2018 11:44, Olivier JUDITH wrote:
 >      >  From my point of view , the easiest way to solve this is
    to set
 >     a search filter on the OU corresponding to the tenant on each
    phone.
 >      > Can you modify the software on the phone ?
 >
 >     Unfortunately not. The telephone handset firmware is written
    by various
 >     third parties, and we have no access to it.
 >
 >     This would also be insecure. Anyone with the username and
    password of a
 >     telephone and who could use an LDAP client such as LDAP
    search could
 >     bypass the filter to see all the users in all the tenants 
(i.e.

 >     every ou).
 >
 >      > The other way could be by creating  a 389 plugin that 
add a

 >     filter on the good OU regarding the DN of user which make the
    call
 >     to the ldap.
 >
 >     That might be an option. Do you know where I can find
    documentation on
 >     how to do this?
 >
 >     --
 >     Alistair Cunningham
 >     +1 888 468 3111
 >     +44 20 799 39 799
 > https://enswitch.com/
 >
 >
 > ___
 > 389-users mailing list -- 389-users@lists.fedoraproject.org
    
 > To unsubscribe send an email to
    389-users-le...@lists.fedoraproject.org
    
 > Fedora Code of Conduct: 
https://getfedora.org/code-of-conduct.html

 > List Guidelines:
    https://fedoraproject.org/wiki/Mailing_list_guidelines
 > List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
 >

    --     Alistair Cunningham
    +1 888 468 3111
    +44 20 799 39 799
    https://enswitch.com/
    ___
    389-users mailing list -- 389-users@lists.fedoraproject.org
    
    To unsubscribe send an email to
    389-users-le...@lists.fedoraproject.org
    
    Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
    List Guidelines: 
https://fedoraproject.org/wiki/Mailing_list_guidelines

    List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org





___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https:

[389-users] Re: Limiting access to same ou

2018-11-26 Thread Alistair Cunningham 

Thank you, I'll give that a go.

On a related topic, do you know why when I try to add a 
simpleSecurityObject, I get a 'attribute "cn" not allowed' error?


$ cat 1234567890.ldif
dn: cn=1234567890,ou=2,dc=integrics,dc=com
objectClass: simpleSecurityObject
userPassword: abcdef
$ ldapadd -x -D "cn=Directory Manager" -w secret -f 1234567890.ldif
adding new entry "cn=1234567890,ou=2,dc=integrics,dc=com"
ldap_add: Object class violation (65)
additional info: attribute "cn" not allowed


I've tried with "uid=1234567890" instead, and it tells me that uid is 
not allowed.


On 27/11/2018 10:31, Olivier JUDITH wrote:

Hi,

Give IT a try. It should work
aci: 
(target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version 
3.0;acl "aci1";allow (read,search) 
userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;)
aci: 
(target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version 
3.0;acl "aci2";allow (read,search) 
userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;)


Let me know

Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham 
mailto:acunning...@integrics.com>> a écrit :


On 26/11/2018 18:59, Olivier JUDITH wrote:
 > Hi,
 >
 > I'm using the Redhat documentation on this link
 >

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index

That looks rather complex. It's a real shame that there's no way of
limiting users to the same ou using a regular expression ACL.

 > Regards
 >
 >   lun. 26 nov. 2018 à 05:46, Alistair Cunningham
 > mailto:acunning...@integrics.com>
>> a écrit :
 >
 >     On 25/11/2018 11:44, Olivier JUDITH wrote:
 >      >  From my point of view , the easiest way to solve this is
to set
 >     a search filter on the OU corresponding to the tenant on each
phone.
 >      > Can you modify the software on the phone ?
 >
 >     Unfortunately not. The telephone handset firmware is written
by various
 >     third parties, and we have no access to it.
 >
 >     This would also be insecure. Anyone with the username and
password of a
 >     telephone and who could use an LDAP client such as LDAP
search could
 >     bypass the filter to see all the users in all the tenants (i.e.
 >     every ou).
 >
 >      > The other way could be by creating  a 389 plugin that add a
 >     filter on the good OU regarding the DN of user which make the
call
 >     to the ldap.
 >
 >     That might be an option. Do you know where I can find
documentation on
 >     how to do this?
 >
 >     --
 >     Alistair Cunningham
 >     +1 888 468 3111
 >     +44 20 799 39 799
 > https://enswitch.com/
 >
 >
 > ___
 > 389-users mailing list -- 389-users@lists.fedoraproject.org

 > To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org

 > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
 > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
 > List Archives:

https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
 >

-- 
Alistair Cunningham

+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
___
389-users mailing list -- 389-users@lists.fedoraproject.org

To unsubscribe send an email to
389-users-le...@lists.fedoraproject.org

Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:

https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org



--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraprojec

[389-users] Re: Limiting access to same ou

2018-11-26 Thread Olivier JUDITH 
Hi,

Give IT a try. It should work
aci: (target="ldap:///ou=tenant1,dc=example,dc=com";)(targetattr=*)(version
3.0;acl "aci1";allow (read,search)
userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";;)
aci: (target="ldap:///ou=tenant2,dc=example,dc=com";)(targetattr=*)(version
3.0;acl "aci2";allow (read,search)
userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";;)

Let me know

Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham 
a écrit :

> On 26/11/2018 18:59, Olivier JUDITH wrote:
> > Hi,
> >
> > I'm using the Redhat documentation on this link
> >
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index
>
> That looks rather complex. It's a real shame that there's no way of
> limiting users to the same ou using a regular expression ACL.
>
> > Regards
> >
> >   lun. 26 nov. 2018 à 05:46, Alistair Cunningham
> > mailto:acunning...@integrics.com>> a écrit :
> >
> > On 25/11/2018 11:44, Olivier JUDITH wrote:
> >  >  From my point of view , the easiest way to solve this is to set
> > a search filter on the OU corresponding to the tenant on each phone.
> >  > Can you modify the software on the phone ?
> >
> > Unfortunately not. The telephone handset firmware is written by
> various
> > third parties, and we have no access to it.
> >
> > This would also be insecure. Anyone with the username and password
> of a
> > telephone and who could use an LDAP client such as LDAP search could
> > bypass the filter to see all the users in all the tenants (i.e.
> > every ou).
> >
> >  > The other way could be by creating  a 389 plugin that add a
> > filter on the good OU regarding the DN of user which make the call
> > to the ldap.
> >
> > That might be an option. Do you know where I can find documentation
> on
> > how to do this?
> >
> > --
> > Alistair Cunningham
> > +1 888 468 3111
> > +44 20 799 39 799
> > https://enswitch.com/
> >
> >
> > ___
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> >
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Limiting access to same ou

2018-11-26 Thread Alistair Cunningham 

On 26/11/2018 18:59, Olivier JUDITH wrote:

Hi,

I'm using the Redhat documentation on this link
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index


That looks rather complex. It's a real shame that there's no way of 
limiting users to the same ou using a regular expression ACL.



Regards

  lun. 26 nov. 2018 à 05:46, Alistair Cunningham 
mailto:acunning...@integrics.com>> a écrit :


On 25/11/2018 11:44, Olivier JUDITH wrote:
 >  From my point of view , the easiest way to solve this is to set
a search filter on the OU corresponding to the tenant on each phone.
 > Can you modify the software on the phone ?

Unfortunately not. The telephone handset firmware is written by various
third parties, and we have no access to it.

This would also be insecure. Anyone with the username and password of a
telephone and who could use an LDAP client such as LDAP search could
bypass the filter to see all the users in all the tenants (i.e.
every ou).

 > The other way could be by creating  a 389 plugin that add a
filter on the good OU regarding the DN of user which make the call
to the ldap.

That might be an option. Do you know where I can find documentation on
how to do this?

-- 
Alistair Cunningham

+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/


___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org



--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org

[389-users] Re: Limiting access to same ou

2018-11-26 Thread Olivier JUDITH 
Hi,

I'm using the Redhat documentation on this link
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index


Regards

 lun. 26 nov. 2018 à 05:46, Alistair Cunningham 
a écrit :

> On 25/11/2018 11:44, Olivier JUDITH wrote:
> >  From my point of view , the easiest way to solve this is to set a
> search filter on the OU corresponding to the tenant on each phone.
> > Can you modify the software on the phone ?
>
> Unfortunately not. The telephone handset firmware is written by various
> third parties, and we have no access to it.
>
> This would also be insecure. Anyone with the username and password of a
> telephone and who could use an LDAP client such as LDAP search could
> bypass the filter to see all the users in all the tenants (i.e. every ou).
>
> > The other way could be by creating  a 389 plugin that add a filter on
> the good OU regarding the DN of user which make the call to the ldap.
>
> That might be an option. Do you know where I can find documentation on
> how to do this?
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
>
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org