Home

Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: automatic ACL

Hybrid View

  1. #1
    are79 NNTP User

    automatic ACL


    How to avoid ACL to be automatically added to the object on creation.

    The user which performs the creation of the object automatically gets
    all [Entry Rights] on that particular object after the creation. How to
    avoid that.

    I use Novell Ldap c# api to create those objects. But I do not have any
    code to deal with acls on the created object.


    --
    are79
    ------------------------------------------------------------------------
    are79's Profile: https://forums.netiq.com/member.php?userid=2255
    View this thread: https://forums.netiq.com/showthread.php?t=46695


  2. #2
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: automatic ACL

    On 2/1/2013 9:24 AM, are79 wrote:
    >
    > How to avoid ACL to be automatically added to the object on creation.
    >
    > The user which performs the creation of the object automatically gets
    > all [Entry Rights] on that particular object after the creation. How to
    > avoid that.


    Did you notice the Print Job Configuration and Login Script grants too?

    You need to modify base schema, for the permissions template. It is
    possible to do, but also pretty easy to undo (I think Rebuild Operation
    Schema in Dsrepair will reset it). There is a TID on how to do this.

    The trick is you need to do it via LDIF, in one LDAP operation. So you
    do a delete, then an add, using the - on a line to tie the events together.

    David G has this done in his tree I think.

    > I use Novell Ldap c# api to create those objects. But I do not have any
    > code to deal with acls on the created object.
    >
    >



  3. #3
    peterkuo NNTP User

    Re: automatic ACL


    Certain rights are automatically assigned via what is called "Default
    ACL Template" as specified in the schema. Though you can change the
    behavior (http://www.novell.com/support/kb/doc.php?id=7006754), however,
    you will likely end up breaking things in the future. The main reason
    for the creator to have rights over the created object is that "someone"
    needs to be able to manage the object, and if you remove that you can
    easily end up with either totally or partially unmanageable objects.


    --
    peterkuo
    ------------------------------------------------------------------------
    peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
    View this thread: https://forums.netiq.com/showthread.php?t=46695


  4. #4
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: automatic ACL

    On 2/1/2013 11:14 PM, peterkuo wrote:
    >
    > Certain rights are automatically assigned via what is called "Default
    > ACL Template" as specified in the schema. Though you can change the
    > behavior (http://www.novell.com/support/kb/doc.php?id=7006754), however,
    > you will likely end up breaking things in the future. The main reason
    > for the creator to have rights over the created object is that "someone"
    > needs to be able to manage the object, and if you remove that you can
    > easily end up with either totally or partially unmanageable objects.


    can you give some examples of 'somone needs to be able to manage it'?
    The most common place to change the ACL template is on a user and remove
    the Print Job Configuration and Login Script grants. Which clearly does
    not fit in your example.

    PS: Is there a documented list of the entire ACL Template somewhere? I
    am not sure I recall ever seeing it in a useful fashion.



  5. #5
    peterkuo NNTP User

    Re: automatic ACL


    To see the Default ACL template, its best to simply dump the schema (as
    it will be current to what is in effect in the tree) and look for
    entries with X-NDS-_ACL_TEMPLATES as there are a number of them.


    --
    peterkuo
    ------------------------------------------------------------------------
    peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
    View this thread: https://forums.netiq.com/showthread.php?t=46695


  6. #6
    peterkuo NNTP User

    Re: automatic ACL


    Haven't the time to track thru the ACL, but off the top of the head, if
    the creator has no rights to the object, who is going to assign the user
    to a group, for instance?


    --
    peterkuo
    ------------------------------------------------------------------------
    peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
    View this thread: https://forums.netiq.com/showthread.php?t=46695


  7. #7
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: automatic ACL

    On 2/6/2013 11:54 PM, peterkuo wrote:
    >
    > Haven't the time to track thru the ACL, but off the top of the head, if
    > the creator has no rights to the object, who is going to assign the user
    > to a group, for instance?


    Through inheritance of rights from the top of the tree? Why should you
    need an explicit rights to an object? I am sure I am missing your point.


  8. #8
    Jim Henderson NNTP User

    Re: automatic ACL

    On Thu, 07 Feb 2013 18:04:51 +0000, Geoffrey Carman wrote:

    > On 2/6/2013 11:54 PM, peterkuo wrote:
    >>
    >> Haven't the time to track thru the ACL, but off the top of the head, if
    >> the creator has no rights to the object, who is going to assign the
    >> user to a group, for instance?

    >
    > Through inheritance of rights from the top of the tree? Why should you
    > need an explicit rights to an object? I am sure I am missing your
    > point.


    Well, you can't always count on inherited rights. It's possible to have
    creation rights but not the necessary management rights to an object -
    and often times object creation requires modify rights to set additional
    attributes. For example, if I have C rights to create an object and
    don't have attribute modification rights, when the system tries to set
    mandatory attributes, the object creation will fail or you'll just end up
    with an unknown object.

    The default ACL is used to ensure the creator can actually set the values
    they need to for creation to be successful.

    At least that's how I remember having it explained to me a few years
    back.

    Jim



    --
    Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
    Novell Knowledge Partner

  9. #9
    Join Date
    Dec 2007
    Location
    Brooklyn, NY
    Posts
    6,213

    Re: automatic ACL

    On 2/7/2013 5:37 PM, Jim Henderson wrote:
    > On Thu, 07 Feb 2013 18:04:51 +0000, Geoffrey Carman wrote:
    >
    >> On 2/6/2013 11:54 PM, peterkuo wrote:
    >>>
    >>> Haven't the time to track thru the ACL, but off the top of the head, if
    >>> the creator has no rights to the object, who is going to assign the
    >>> user to a group, for instance?

    >>
    >> Through inheritance of rights from the top of the tree? Why should you
    >> need an explicit rights to an object? I am sure I am missing your
    >> point.

    >
    > Well, you can't always count on inherited rights. It's possible to have
    > creation rights but not the necessary management rights to an object -
    > and often times object creation requires modify rights to set additional


    That makes sense. Thanks. I had not considered that aspect.

    > attributes. For example, if I have C rights to create an object and
    > don't have attribute modification rights, when the system tries to set
    > mandatory attributes, the object creation will fail or you'll just end up
    > with an unknown object.
    >
    > The default ACL is used to ensure the creator can actually set the values
    > they need to for creation to be successful.
    >
    > At least that's how I remember having it explained to me a few years
    > back.
    >
    > Jim
    >
    >
    >



  10. #10
    peterkuo NNTP User

    Re: automatic ACL


    And how do you get rights to the "top level" of the tree in the first
    place? And what happens then if there is an IRF?


    --
    peterkuo
    ------------------------------------------------------------------------
    peterkuo's Profile: https://forums.netiq.com/member.php?userid=170
    View this thread: https://forums.netiq.com/showthread.php?t=46695


Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •