Symantec Access Management

Hello Guys,

Greetings!!

I wanted to create an ACL to restrict an User account to modify only certain branches like (OU=External, OU=PrivilegedUsers). Below are the details of the LDAP.

CA Directory 12.6.05

Regards,

Sandeep

sandeepIAEA

Configure Access Controls - CA Directory - 12.6 - CA Technologies Documentation  

Example Access Control Policy - CA Directory - 12.6 - CA Technologies Documentation 

When you login as user 'subadmin' we should have only access to 'OU = PriviledgedUsers'

Hi Hubert,

Greetings!

I have tried to use the below in the userstore.dxc file. 

set admin-user "testUsers OU Read Access" = {
user=<dc "org"><dc "company"><ou "admins"><commonName "testUsers">
subtree = <dc "org"><dc "company"><ou "external"><ou "PrivilegedUsers">
};

Ignored the below syntax as we have them already

set super-user = {
user = <dc "com"> <dc "company"> <ou "ustore"> <ou "superaccts"> <cn "Administrator">
};

set access-controls = true;

I restarted the dxserver and logged in using the account testUsers and tried to modify an entry in ou=old users. 

Am able to modify the entry but in fact I should not be able to modify. Did I do something wrong? 

Regards, 
Sandeep

Sandeep sandeepIAEA

When we login as CN=testusers we should be able to see only the OU which is permitted.

I do not see your complete TREE, so not sure where ou=old is located.

Can you confirm whether userstore.dxc is enabled / sourced within the server initialization file ? What I'm trying to ascertain is if your acl is being enforced OR applied ?

Hello,

What you have (below) should work, restricting user 'testUsers' to update only defined 'subtree' DIT (Directory Information Tree):

set admin-user "testUsers OU Read Access" = {
user=<dc "org"><dc "company"><ou "admins"><commonName "testUsers">
subtree = <dc "org"><dc "company"><ou "external"><ou "PrivilegedUsers">
};

One thing to make sure here is you have user defined with 'cn' (commonName) and not with 'uid'. As there are no checks made in Access Control Rules that you define, I have seen this in the past.

e.g. You have above defined but the actual user you login via LDAP browser is "uid=testUsers,ou=admins,dc=company,dc=org". As you can see, defined ACL/ACI looks for 'cn=testUsers' while the actual user is 'uid=testUsers' hence never blocks this user from updating any other DIT values.

-Hitesh

HubertDennis, 

Thanks for your response. 

Yes the userstore.dxc is sourced in the servers file like below: 

# access controls
clear access;
source "../access/UserStore.dxc";

When we login as CN=testusers we should be able to see only the OU which is permitted.

But I see all the Ou's in the LDAP when I login using the account

Hitesh_Patel

Am trying to login to LDAP Browser using cn=testusers only. 

Regards,
Sandeep 

sandeepIAEA

Could you suggest what tool are we using ? e.g. If I use Softerra LDAP browser, it does display the entire tree. However only allows to edit the OU on which the permissions are. However if I use JXplorer OR DXSearch only the OU on which permission are allotted is displayed. Could this be the case ?

Am using Jxplorer. Am also able to edit the entries in other OU's using the account for which we gave permissions. Could I go ahead  & raise a support case ? 

Sandeep,

Yes, support case is the best option at this point otherwise this back/forth will continue. When you do open one, please also run 'dxinfo -x logs' at the system prompt and upload the resulting two files to the case.

i.e. hostname_cadir_config.cab and hostname_cadir_dxinfo.log

If this is on Linux, make sure to run the command as 'dsa' user and resulting files will be:

hostname_cadir_config.tar.gz and hostname_cadir_dxinfo.log

-Hitesh

sandeepIAEA

Before we raise a case test the below and share the result

Instead of using

set admin-user "testUsers OU Read Access" = {
user=<dc "org"><dc "company"><ou "admins"><commonName "testUsers">
subtree = <dc "org"><dc "company"><ou "external"><ou "PrivilegedUsers">
};

Please use

set admin-user = {
user=<dc "org"><dc "company"><ou "admins"><commonName "testUsers">
subtree = <dc "org"><dc "company"><ou "external"><ou "PrivilegedUsers">
};

Let know the result.

It's the same. Thanks for your response. I'll going with the support case. 

Thanks Hubert & Hitesh. 

Regards,
Sandeep