On 5 Feb 2021, at 12:30, William Brown <wbrown(a)suse.de> wrote:
> On 4 Feb 2021, at 22:23, Pierre Rogier <progier(a)redhat.com> wrote:
>
> Hi Nicolas,
>
> The documentation does not say that wildcard is supported in groupdn evaluation and I
have not seen anything in the code that handles it.
> IMHO The comment about group dn filter is a bit confusing:
> the only place it is supported while evaluating groupdn is within the (filter) part
when using the full ldap url notation (dn??scope?(filter)) but that is not really a
wildcard but a substring or a presence ldap
> filter .
> And I do not see how it could be implemented efficiently because
> it would mean that either all groups are checked or that
> something similar to the ismemberof plugin is used
> (and that is neither scalable nor efficient).
> Note: for user dn things are easier because there is a single bind dn (and we can
easily check if it matches).
>
<Snip>
>
>>>
>>> I'm not an English native speaker, so please forgive me if there's
>>> mistakes in this e-mail.
>>>
>>> OS : Fedora 30
>>> 389ds version / build number : 1.4.1.14 / 2020.023.2226
>>>
>>> I'm struggling with ACI and despite hours of documentation reading, I
>>> don't understand how to make it work as I want.
>>>
>>> Basic directory structure
>>> ==================
>>> dc=domain,dc=tld
>>> |
>>> +---ou=Servers
>>> |
>>> +---cn=proxy <---- here is where I add the ACI
>>> |
>>> +---cn=group1
>>> |
>>> +---cn=group2
>>> ===================
>>> Container "proxy" is a "iphost" object.
>>>
Sorry for the messy email. I rewrote it a few times: This should be clearer.
A way to achieve this is with the memberOf plugin.
You enable memberOf plugin on your system. This means that members Of
cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld would have that set into their account such
as:
dn: uid=william,ou=people,dc=domain,dc=tld
...
memberOf: cn=group1,cn=proxy,ou=Servers,dc=domain,dc=tld
Then you can use:
(targetattr = "*") (target =
"ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld") (version 3.0;acl
"Allow only groups members to query this object";allow (all)
(userdn =
"ldap:///ou=People,dc=domain,dc=tld??sub??(memberOf=cn=*,cn=proxy,ou=Servers,dc=domain,dc=tld)")
;)
I haven't tried this my self, but it should work. You'll need to make sure there
is a substring index on memberOf.
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia