[389-users] ACI's on DB Linked Directories

Hi Everyone,

A question about how to best go about doing access control on db-linked directories. Given the below 2-directory setup (Dir1 has a db link set up to Dir2, and vice versa), is the shown ACI setup possible/advisable?  If not, what's the best way to make it work?:

Dir1:

dc=example,dc=com

   ou=employees

      uid=alice

      uid=bob

   cn=admins

      member:uid=alice,ou=employees,dc=example,dc=com

Dir2:

dc=example,dc=com

   ou=projects

      aci:(targetattr ="*")(version 3.0;acl "Admins Group";allow (all) (groupdn = "ldap:///cn=admins,dc=example,dc=com");)

I ask because section 2.3.6. Database Links and Access Control Evaluation, of the RHDS Admin Guide says:

"ACIs must be located with any groups they use. If the groups are dynamic, all users in the group must be located with the ACI and the group. If the group is static, it may refer to remote users."

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Database_Links.html#Creating_and_Maintaining_Database_Links-Database_Links_and_Access_Control_Evaluation

I'm afraid the phrasing is a little opaque to my understanding.  Does it mean that "Admin Groups" act on Dir2 is not allowed to refer to cn=admins,dc=example,dc=com on Dir1?

If so, then what is the best way of maintaining groups centrally but allowing them to be used on remote directories?

*Bonus Question:

Say Alice only has access to Dir1, she can issue a search to ou=projects because of the DB link from Dir1 —> Dir2.  When the aci on ou=projects is processed, which user is used?  uid=alice or the proxy user of the db link?  Will the aci work at all in this case?

Thanks a lot,

Trev

_________________________________________________

Trevor Fong

Senior Programmer Analyst

Information Technology | Engage. Envision. Enable.

The University of British Columbia

trevor.fong@ubc.ca | 1-604-827-5247 | it.ubc.ca