Thursday, March 3, 2022

[389-users] Re: aci sanity check

> On 4 Mar 2022, at 02:31, Mark Reynolds <mareynol@redhat.com> wrote:
>
>
> On 3/3/22 10:26 AM, David Ritenour wrote:
>> Hi Morgan,
>>
>> Try changing your target as follows:
>>
>> From: (target = "cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org")
>> To: (target = "ldap:///cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org")
>
> Correct, all "dn's" in an aci must be in an LDAP URL format. You should also add "(targetattr="*"). So try this:

You shouldn't use targetattr=* because that exposes a lot of potentially sensitive attributes like personally identifiable information, the user's password hashes, certificates, and internal server attributes.

You should specify the exact list of attributes you need to see and request. in targetattr.

>
> aci: (target = "ldap:///cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org")
> (targetattr="*")(targetfilter = "(objectclass=groupofuniquenames)")
> (version 3.0; acl "duo access";
> allow (read, search, compare) groupdn = "ldap:///cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org";)
>
> HTH,
> Mark
>
>>
>> David Ritenour
>> MartinFederal Consulting, LLC
>> Senior Directory Engineer
>> 513 Madison Street SE
>> Huntsville, AL 35801
>>
>> -----Original Message-----
>> From: Morgan Jones <morgan@morganjones.org>
>> Sent: Thursday, March 3, 2022 9:36 AM
>> To: General discussion list for the 389 Directory server project. <389-users@lists.fedoraproject.org>
>> Subject: [389-users] aci sanity check
>>
>> ** WARNING: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> Hello,
>>
>> Would someone mind taking a look at the below and tell me what I am missing?? I have a requirement to make a group readable by its members:
>>
>>
>>
>> morgan@m1macbook ~ % ldapmodify -H ldaps://prdds22.domain.org -x -y pass.txt -f duo_aci_example.ldif modifying entry "cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org"
>> ldap_modify: Invalid syntax (21)
>> additional info: ACL Syntax Error(-5):(target = \22cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org\22)(targetfilter = \22(objectclass=groupofuniquenames)\22)(version 3.0; acl \22duo access\22;allow (read, search, compare) groupdn = \22ldap:///cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org\22;)
>>
>>
>> morgan@m1macbook ~ %
>>
>>
>> duo_aci_example.ldif:
>> dn: cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org
>> changetype: modify
>> replace: aci
>> aci: (target = "cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org")
>> (targetfilter = "(objectclass=groupofuniquenames)")
>> (version 3.0; acl "duo access";
>> allow (read, search, compare) groupdn = "ldap:///cn=vpnall,ou=vpnaccess,ou=groups,dc=domain,dc=org";)
>>
>>
>> thank you!
>>
>> -morgan
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email and any such files in error and that any use, dissemination, forwarding, printing or copying of this email and/or any such files is strictly prohibited. If you have received this email in error please immediately notify hr@martinfed.com - (855) 212-1810 , and destroy the original message and any such files.
>> _______________________________________________
>> 389-users mailing list -- 389-users@lists.fedoraproject.org
>> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
> --
> Directory Server Development Team
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)