ACI

Usage example

ACI_TARGET = ('(targetfilter ="(ou=groups)")(targetattr ="uniqueMember '
              '|| member")')
ACI_ALLOW = ('(version 3.0; acl "Allow test aci";allow (read, search, '
             'write)')
ACI_SUBJECT = ('(userdn="ldap:///dc=example,dc=com??sub?(ou=engineering)" '
               'and userdn="ldap:///dc=example,dc=com??sub?(manager=uid='
               'wbrown,ou=managers,dc=example,dc=com) || ldap:///dc=examp'
               'le,dc=com??sub?(manager=uid=tbrown,ou=managers,dc=exampl'
               'e,dc=com)" );)')

# Add some entry with ACI
group_dn = 'cn=testgroup,{}'.format(DEFAULT_SUFFIX)
gentry = Entry(group_dn)
gentry.setValues('objectclass', 'top', 'extensibleobject')
gentry.setValues('cn', 'testgroup')
gentry.setValues('aci', ACI_BODY)
standalone.add_s(gentry)

# Get and parse ACI
acis = standalone.aci.list()
aci = acis[0]

assert aci.acidata == {
    'allow': [{'values': ['read', 'search', 'write']}],
    'target': [], 'targetattr': [{'values': ['uniqueMember', 'member'],
                                  'equal': True}],
    'targattrfilters': [],
    'deny': [],
    'acl': [{'values': ['Allow test aci']}],
    'deny_raw_bindrules': [],
    'targetattrfilters': [],
    'allow_raw_bindrules': [{'values': [(
        'userdn="ldap:///dc=example,dc=com??sub?(ou=engineering)" and'
        ' userdn="ldap:///dc=example,dc=com??sub?(manager=uid=wbrown,'
        'ou=managers,dc=example,dc=com) || ldap:///dc=example,dc=com'
        '??sub?(manager=uid=tbrown,ou=managers,dc=example,dc=com)" ')]}],
    'targetfilter': [{'values': ['(ou=groups)'], 'equal': True}],
    'targetscope': [],
    'version 3.0;': [],
    'rawaci': complex_aci
}

# You can get a raw ACI
raw_aci = aci.getRawAci()

Module documentation

class lib389.aci.Aci(conn)[source]

An object that helps to work with agreement entry

Parameters:conn (lib389.DirSrv) – An instance
format_lint(warnings)[source]

Takes the array of warnings and returns a formatted string.

Parameters:warnings (dict) – The array of warnings
Returns:Formatted string or warnings
lint(basedn, scope=2)[source]

Validate and check for potential aci issues.

Given a scope and basedn, this will retrieve all the aci’s below. A number of checks are then run on the aci in isolation, and in groups.

Parameters:
  • basedn (str) – Base DN
  • scope (int) – ldap.SCOPE_SUBTREE, ldap.SCOPE_BASE, ldap.SCOPE_ONELEVEL, ldap.SCOPE_SUBORDINATE
Returns:

A tuple of (bool, list( dict )) - Bool represents if the acis pass or fail as a whole. - The list contains a list of warnings about your acis. - The dict is structured as:

{
  name: "" # DSALEXXXX
  severity: "" # LOW MEDIUM HIGH
  detail: "" # explination
}

list(basedn, scope=2)[source]

List all acis in the directory server below the basedn confined by scope.

Parameters:
  • basedn (str) – Base DN
  • scope (int) – ldap.SCOPE_SUBTREE, ldap.SCOPE_BASE, ldap.SCOPE_ONELEVEL, ldap.SCOPE_SUBORDINATE
Returns:

A list of EntryAci objects

class lib389._entry.EntryAci(entry, rawaci, verbose=False)[source]

Breaks down an aci attribute string from 389, into a dictionary of terms and values. These values can then be manipulated, and subsequently rebuilt into an aci string.

Parameters:
  • entry (lib389._entry.Entry) – An entry
  • rawaci (str) – Aci in a raw form
  • verbose (bool) – False by default
getRawAci()[source]

This method will rebuild an aci from the contents of the acidata dict found on the object.

Returns:An aci attribute string.