ACI

Usage example

ACI_TARGET = ('(targetfilter ="(ou=groups)")(targetattr ="uniqueMember '
              '|| member")')
ACI_ALLOW = ('(version 3.0; acl "Allow test aci";allow (read, search, '
             'write)')
ACI_SUBJECT = ('(userdn="ldap:///dc=example,dc=com??sub?(ou=engineering)" '
               'and userdn="ldap:///dc=example,dc=com??sub?(manager=uid='
               'wbrown,ou=managers,dc=example,dc=com) || ldap:///dc=examp'
               'le,dc=com??sub?(manager=uid=tbrown,ou=managers,dc=exampl'
               'e,dc=com)" );)')

# Add some entry with ACI
group_dn = 'cn=testgroup,{}'.format(DEFAULT_SUFFIX)
gentry = Entry(group_dn)
gentry.setValues('objectclass', 'top', 'extensibleobject')
gentry.setValues('cn', 'testgroup')
gentry.setValues('aci', ACI_BODY)
standalone.add_s(gentry)

# Get and parse ACI
acis = standalone.aci.list()
aci = acis[0]

assert aci.acidata == {
    'allow': [{'values': ['read', 'search', 'write']}],
    'target': [], 'targetattr': [{'values': ['uniqueMember', 'member'],
                                  'equal': True}],
    'targattrfilters': [],
    'deny': [],
    'acl': [{'values': ['Allow test aci']}],
    'deny_raw_bindrules': [],
    'targetattrfilters': [],
    'allow_raw_bindrules': [{'values': [(
        'userdn="ldap:///dc=example,dc=com??sub?(ou=engineering)" and'
        ' userdn="ldap:///dc=example,dc=com??sub?(manager=uid=wbrown,'
        'ou=managers,dc=example,dc=com) || ldap:///dc=example,dc=com'
        '??sub?(manager=uid=tbrown,ou=managers,dc=example,dc=com)" ')]}],
    'targetfilter': [{'values': ['(ou=groups)'], 'equal': True}],
    'targetscope': [],
    'version 3.0;': [],
    'rawaci': complex_aci
}

# You can get a raw ACI
raw_aci = aci.getRawAci()

Additional information about ACI

• https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Bind_Rules.html

• https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Access_Control-Creating_ACIs_Manually.html

Module documentation

class lib389.aci.Aci(conn)

An object that helps to work with agreement entry

Parameters

conn (lib389.DirSrv) – An instance

format_lint(warnings)

Takes the array of warnings and returns a formatted string.

Parameters

warnings (dict) – The array of warnings

Returns

Formatted string or warnings

lint(basedn, scope=2)

Validate and check for potential aci issues.

Given a scope and basedn, this will retrieve all the aci’s below. A number of checks are then run on the aci in isolation, and in groups.

Parameters

• basedn (str) – Base DN

• scope (int) – ldap.SCOPE_SUBTREE, ldap.SCOPE_BASE, ldap.SCOPE_ONELEVEL, ldap.SCOPE_SUBORDINATE

Returns

A tuple of (bool, list( dict )) - Bool represents if the acis pass or fail as a whole. - The list contains a list of warnings about your acis. - The dict is structured as:

{
  name: "" # DSALEXXXX
  severity: "" # LOW MEDIUM HIGH
  detail: "" # explination
}

list(basedn, scope=2)

List all acis in the directory server below the basedn confined by scope.

Parameters

• basedn (str) – Base DN

• scope (int) – ldap.SCOPE_SUBTREE, ldap.SCOPE_BASE, ldap.SCOPE_ONELEVEL, ldap.SCOPE_SUBORDINATE

Returns

A list of EntryAci objects

class lib389._entry.EntryAci(entry, rawaci, verbose=False)

Breaks down an aci attribute string from 389, into a dictionary of terms and values. These values can then be manipulated, and subsequently rebuilt into an aci string.

Parameters

• entry (lib389._entry.Entry) – An entry

• rawaci (str) – Aci in a raw form

• verbose (bool) – False by default

getRawAci()

This method will rebuild an aci from the contents of the acidata dict found on the object.

Returns

An aci attribute string.