Le 19/11/14 12:56, Christoph Witzany a écrit :
> Hi guys!
>
> I need to create an Apache Directory Server installation with multiple
> partitions.
>
> For each partition there should be one or more admin users that can
> read/browse/edit only this partition.
> Additional the partitions will contain organisational units, where again a
> set of users can manage the respective subtree.
>
> If I understood the docs right this should be doable with Prescriptive ACIs.
>
> My first try at an ACI was something like that (in a subentry of
> dc=kig1,dc=example,dc=com ):
>
> {
> identificationTag "kigAdmin",
> precedence 0,
> authenticationLevel simple,
> itemOrUserFirst itemFirst:
> {
> protectedItems
> {
> entry,
> allUserAttributeTypes,
> allUserAttributeTypesAndValues
> }
> ,
> itemPermissions
> {
> {
> precedence 0,
> userClasses
> {
> name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
> }
> }
> ,
> grantsAndDenials
> {
> grantRename,
> grantExport,
> grantRemove,
> grantInvoke,
> grantDiscloseOnError,
> grantRead,
> grantAdd,
> grantBrowse,
> grantImport,
> grantCompare,
> grantReturnDN,
> grantModify,
> grantFilterMatch
> }
> }
> }
> }
> }
Have you tried with something like :
{
identificationTag "kigAdmin",
precedence 0,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"}
},
userPermissions
{
{
protectedItems
{
entry,
allUserAttributeTypes,
allUserAttributeTypesAndValues
},
grantsAndDenials
{
grantRename,
grantExport,
grantRemove,
grantInvoke,
grantDiscloseOnError,
grantRead,
grantAdd,
grantBrowse,
grantImport,
grantCompare,
grantReturnDN,
grantModify,
grantFilterMatch
}
}
}
}
}
In this case, we tell that the uid=admin,ou=kig1ki1,... admin can
see/update all the entries on the tree part which is associated with the
subentry, and no other user.
Can you tell me if it's any better ?
