Skip to content

Creating ACIs for Admin

Endi S. Dewata edited this page Feb 24, 2023 · 1 revision

This step is defined in DogtagInstance.add_ipaca_aci().

It adds ACI to allow ipaca users to read their own group information.

Dogtag users aren’t allowed to enumerate their own groups. The setup_admin() method needs the permission to wait, until all group information has been replicated.

dn: ou=groups,o=ipaca
changetype: modify
add: aci
aci: (targetfilter="(objectClass=groupOfUniqueNames)")
 (targetattr="cn || description || objectclass || uniquemember")
 (version 3.0; acl "Allow users from o=ipaca to read groups";
  allow (read, search, compare)
  userdn="ldap:///uid=*,ou=people,o=ipaca";)
Clone this wiki locally