Anonymous_User Absent Member.
Absent Member.
560 views

automatic ACL


How to avoid ACL to be automatically added to the object on creation.

The user which performs the creation of the object automatically gets
all [Entry Rights] on that particular object after the creation. How to
avoid that.

I use Novell Ldap c# api to create those objects. But I do not have any
code to deal with acls on the created object.


--
are79
------------------------------------------------------------------------
are79's Profile: https://forums.netiq.com/member.php?userid=2255
View this thread: https://forums.netiq.com/showthread.php?t=46695

Labels (1)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: automatic ACL

On 2/1/2013 9:24 AM, are79 wrote:
>
> How to avoid ACL to be automatically added to the object on creation.
>
> The user which performs the creation of the object automatically gets
> all [Entry Rights] on that particular object after the creation. How to
> avoid that.


Did you notice the Print Job Configuration and Login Script grants too?

You need to modify base schema, for the permissions template. It is
possible to do, but also pretty easy to undo (I think Rebuild Operation
Schema in Dsrepair will reset it). There is a TID on how to do this.

The trick is you need to do it via LDIF, in one LDAP operation. So you
do a delete, then an add, using the - on a line to tie the events together.

David G has this done in his tree I think.

> I use Novell Ldap c# api to create those objects. But I do not have any
> code to deal with acls on the created object.
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL


Certain rights are automatically assigned via what is called "Default
ACL Template" as specified in the schema. Though you can change the
behavior (http://www.novell.com/support/kb/doc.php?id=7006754), however,
you will likely end up breaking things in the future. The main reason
for the creator to have rights over the created object is that "someone"
needs to be able to manage the object, and if you remove that you can
easily end up with either totally or partially unmanageable objects.


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=46695

0 Likes
Knowledge Partner
Knowledge Partner

Re: automatic ACL

On 2/1/2013 11:14 PM, peterkuo wrote:
>
> Certain rights are automatically assigned via what is called "Default
> ACL Template" as specified in the schema. Though you can change the
> behavior (http://www.novell.com/support/kb/doc.php?id=7006754), however,
> you will likely end up breaking things in the future. The main reason
> for the creator to have rights over the created object is that "someone"
> needs to be able to manage the object, and if you remove that you can
> easily end up with either totally or partially unmanageable objects.


can you give some examples of 'somone needs to be able to manage it'?
The most common place to change the ACL template is on a user and remove
the Print Job Configuration and Login Script grants. Which clearly does
not fit in your example.

PS: Is there a documented list of the entire ACL Template somewhere? I
am not sure I recall ever seeing it in a useful fashion.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL


To see the Default ACL template, its best to simply dump the schema (as
it will be current to what is in effect in the tree) and look for
entries with X-NDS-_ACL_TEMPLATES as there are a number of them.


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=46695

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL


Haven't the time to track thru the ACL, but off the top of the head, if
the creator has no rights to the object, who is going to assign the user
to a group, for instance?


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=46695

0 Likes
Knowledge Partner
Knowledge Partner

Re: automatic ACL

On 2/6/2013 11:54 PM, peterkuo wrote:
>
> Haven't the time to track thru the ACL, but off the top of the head, if
> the creator has no rights to the object, who is going to assign the user
> to a group, for instance?


Through inheritance of rights from the top of the tree? Why should you
need an explicit rights to an object? I am sure I am missing your point.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL

On Thu, 07 Feb 2013 18:04:51 +0000, Geoffrey Carman wrote:

> On 2/6/2013 11:54 PM, peterkuo wrote:
>>
>> Haven't the time to track thru the ACL, but off the top of the head, if
>> the creator has no rights to the object, who is going to assign the
>> user to a group, for instance?

>
> Through inheritance of rights from the top of the tree? Why should you
> need an explicit rights to an object? I am sure I am missing your
> point.


Well, you can't always count on inherited rights. It's possible to have
creation rights but not the necessary management rights to an object -
and often times object creation requires modify rights to set additional
attributes. For example, if I have C rights to create an object and
don't have attribute modification rights, when the system tries to set
mandatory attributes, the object creation will fail or you'll just end up
with an unknown object.

The default ACL is used to ensure the creator can actually set the values
they need to for creation to be successful.

At least that's how I remember having it explained to me a few years
back. 🙂

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
Knowledge Partner
Knowledge Partner

Re: automatic ACL

On 2/7/2013 5:37 PM, Jim Henderson wrote:
> On Thu, 07 Feb 2013 18:04:51 +0000, Geoffrey Carman wrote:
>
>> On 2/6/2013 11:54 PM, peterkuo wrote:
>>>
>>> Haven't the time to track thru the ACL, but off the top of the head, if
>>> the creator has no rights to the object, who is going to assign the
>>> user to a group, for instance?

>>
>> Through inheritance of rights from the top of the tree? Why should you
>> need an explicit rights to an object? I am sure I am missing your
>> point.

>
> Well, you can't always count on inherited rights. It's possible to have
> creation rights but not the necessary management rights to an object -
> and often times object creation requires modify rights to set additional


That makes sense. Thanks. I had not considered that aspect.

> attributes. For example, if I have C rights to create an object and
> don't have attribute modification rights, when the system tries to set
> mandatory attributes, the object creation will fail or you'll just end up
> with an unknown object.
>
> The default ACL is used to ensure the creator can actually set the values
> they need to for creation to be successful.
>
> At least that's how I remember having it explained to me a few years
> back. 🙂
>
> Jim
>
>
>


0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL


And how do you get rights to the "top level" of the tree in the first
place? And what happens then if there is an IRF?


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=46695

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL

On Thu, 07 Feb 2013 04:54:02 +0000, peterkuo wrote:

> Haven't the time to track thru the ACL, but off the top of the head, if
> the creator has no rights to the object, who is going to assign the user
> to a group, for instance?


Any user with Write rights to the Group can add any User object that it
has Browse rights to.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL


And how do you get rights to assign the W in the first place?


--
peterkuo
------------------------------------------------------------------------
peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
View this thread: https://forums.netiq.com/showthread.php?t=46695

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: automatic ACL

On Fri, 01 Feb 2013 14:24:02 +0000, are79 wrote:

> How to avoid ACL to be automatically added to the object on creation.


You can remove items from the Default ACL Template in the schema. You
can't add new ones, at least not as of the last time I tried it. Or, to
be pedantic, you can add new ones, but they aren't used and it doesn't do
anything useful to do so.


> The user which performs the creation of the object automatically gets
> all [Entry Rights] on that particular object after the creation. How to
> avoid that.


From my notes:

Each object class in the schema can have one or more ACLs applied to
newly created objects via a Template mechanism. The default ACL template
is stored in the schema as part of the object class definition. As with
the [Public] object rights applied by default, this may be helpful in a
general purpose directory, but requires further security here.

To change the Default ACL Template, it is necessary to export the current
schema definition, find the parts that require changing, and import a
modified definition to change them.

Export the current schema to a file:

ldapsearch -x -H ldaps://192.168.1.1 -D "cn=admin,o=oname" -w password -b
"cn=schema" -s base > schema.ldif

Then edit the schema.ldif file and find the definition for the User
object class (inetOrgPerson). It will start with something like:

objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson'

The object class definition spans several lines, and ends where the next
“objectClassess:” line begins. The inetOrgPerson definition will look
something like:

objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP
organization
alPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory $
loginAllowedTi
meMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $
loginGraceRem
aining $ loginIntruderAddress $ loginIntruderAttempts $
loginIntruderResetTim
e $ loginMaximumSimultaneous $ loginScript $ loginTime $
networkAddressRestri
ction $ networkAddress $ passwordsUsed $ passwordAllowChange $
passwordExpira
tionInterval $ passwordExpirationTime $ passwordMinimumLength $
passwordRequi
red $ passwordUniqueRequired $ printJobConfiguration $ privateKey $
Profile $
publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimum
AccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $
serverHo
lds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $ printerControl
$ se
curityFlags $ profileMembership $ Timezone $ sASServiceDN $
sASSecretStore $
sASSecretStoreKey $ sASSecretStoreData $ sASPKIStoreKeys $
userCertificate $
nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnections $
rADIUS
AttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistory $
rADIUSDefa
ultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess $
rADIUSPassword
$ rADIUSServiceList $ audio $ businessCategory $ carLicense $
departmentNumbe
r $ employeeNumber $ employeeType $ givenName $ homePhone $
homePostalAddress
$ initials $ jpegPhoto $ labeledUri $ mail $ manager $ mobile $ pager $
ldap
Photo $ preferredLanguage $ roomNumber $ secretary $ uid $
userSMIMECertifica
te $ x500UniqueIdentifier $ displayName $ userPKCS12 ) X-NDS_NAME 'User'
X-ND
S_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_ACL_TEMPLATES
( '2#subtree#[
Self]#[All Attributes Rights]' '6#entry#[Self]#loginScript' '1#subtree#
[Root
Template]#[Entry Rights]' '2#entry#[Public]#messageServer' '2#entry#
[Root Tem
plate]#groupMembership' '6#entry#[Self]#printJobConfiguration' '2#entry#
[Root
Template]#networkAddress') )

Though depending on the actual tree being modified, it may be different
from the example here. The important parts are at the end of the block,
in the section for X-NDS_ACL_TEMPLATES().

Edit out the remainder of the file, leaving just the objectClasses
definition for inetOrgPerson. Use this to create a new LDIF file
containing the definition desired, like:

dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 )
-
add: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP
organization
alPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory $
loginAllowedTi
meMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $
loginGraceRem
aining $ loginIntruderAddress $ loginIntruderAttempts $
loginIntruderResetTim
e $ loginMaximumSimultaneous $ loginScript $ loginTime $
networkAddressRestri
ction $ networkAddress $ passwordsUsed $ passwordAllowChange $
passwordExpira
tionInterval $ passwordExpirationTime $ passwordMinimumLength $
passwordRequi
red $ passwordUniqueRequired $ printJobConfiguration $ privateKey $
Profile $
publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimum
AccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $
serverHo
lds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $ printerControl
$ se
curityFlags $ profileMembership $ Timezone $ sASServiceDN $
sASSecretStore $
sASSecretStoreKey $ sASSecretStoreData $ sASPKIStoreKeys $
userCertificate $
nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnections $
rADIUS
AttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistory $
rADIUSDefa
ultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess $
rADIUSPassword
$ rADIUSServiceList $ audio $ businessCategory $ carLicense $
departmentNumbe
r $ employeeNumber $ employeeType $ givenName $ homePhone $
homePostalAddress
$ initials $ jpegPhoto $ labeledUri $ mail $ manager $ mobile $ pager $
ldap
Photo $ preferredLanguage $ roomNumber $ secretary $ uid $
userSMIMECertifica
te $ x500UniqueIdentifier $ displayName $ userPKCS12 ) X-NDS_NAME 'User'
X-ND
S_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_ACL_TEMPLATES (
'1#subtree#[Root Template]#[Entry Rights]' ) )

by removing the non-desired ACLs from the X-NDS_ACL_TEMPLATES section.
Leave everything else in the inetOrgPerson definition alone. Once the
file has been created, apply this change to the schema:

ldapmodify -x -H ldaps://192.168.1.1 -D cn=admin,o=oname -w password -f
schema.ldif


Reference: Novell TID #10092621


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.