Access Control List - dogtagpki/pki GitHub Wiki

Default ACL

The default ACL for each PKI subsystem is defined in the following files:

When the subsystem is installed, the ACL will be stored in the following LDAP entry:

dn: cn=aclResources,dc=<subsystem>,dc=pki,dc=example,dc=com
objectClass: top
objectClass: CertACLS
cn: aclResources
resourceACLS: ...
resourceACLS: ...
resourceACLS: ...
...

Displaying ACL

To display the current ACL, execute an ldapsearch command. For example:

$ ldapsearch -H ldap://$HOSTNAME:389 -x -D "cn=Directory Manager" -w Secret.123 \
    -b "cn=aclResources,dc=tps,dc=pki,dc=example,dc=com"

Modifying ACL

To modify the ACL, execute an ldapmodify command to remove the old resourceACLS attribute and add the new one. For example:

$ ldapmodify -H ldap://$HOSTNAME:389 -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=aclResources,dc=tps,dc=pki,dc=example,dc=com
changetype: modify
delete: resourceACLS
resourceACLS: certServer.tps.profile-mappings:read,change-status,add,modify,remo
 ve:allow (read,change-status,add,modify,remove) group="Administrators" :Only ad
 mins can access profile mappings.
-
add: resourceACLS
resourceACLS: certServer.tps.profile-mappings:read,change-status,add,modify,remo
 ve:allow (read,change-status) group="Administrators" || group="TPS Agents";allo
 w (add,modify,remove) group="Administrators":Admins and agents can read and cha
 nge status, but only admins can add, modify, and remove.
-
EOF

Then restart the server.

See Also

⚠️ **GitHub.com Fallback** ⚠️