On Tue, Jan 7, 2014 at 3:52 AM, Mike Przybylski <[email protected]>wrote:
> Hello,
>
> I’m trying to lock down what my (Atlassian) Crowd server can do to my
> directory, and one of the things I DON’T want my crowd server to do is
> delete any users with objectClass=posixAccount.
>
> However, the following…
>
> protectedItems
> {
> entry,
> attributeValue {objectclass=posixAccount }
> }
> ,
> grantsAndDenials { denyRemove }
>
> …prevents the deletion of any entries.
>
> Is protecting an entry with a specific objectClass attribute value even
> possible? If so, how do I configure the prescriptiveACI properly?
>
> AFAIK, this is not possible, instead if you want to prevent the user used
by Crowd server to connect
to the directory server from deleting entries then add a special role to
that user and apply the below
given ACI (forget not to replace the value of userGroup)
{
identificationTag "preventEntryDelete",
precedence 15,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
userGroup { "cn=Operator,ou=groups,dc=example,dc=com" }
}
,
userPermissions
{
{
protectedItems { entry },
grantsAndDenials
{
grantFilterMatch,
denyRemove,
grantBrowse,
grantRead,
grantReturnDN
}
}
}
}
}
HTH
Best regards,
> Mike Przybylski
--
Kiran Ayyagari
http://keydap.com
