Macro ACI not working as expected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Dan,

Try enclosing your target in brackets like this:

aci:(targetattr!="userPassword")(target=(($dn),ou=Domains,dc=example,dc=net))(version
3.0;acl "Allow read access to Domain
members";allow(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)

Let me know if that makes a difference.

Gordon

On 11/9/06, Dan <deighton at gmail.com> wrote:
> I have set up a directory structure as follows:
>
> ou=Domains,dc=example,dc=net
>   o=hostedDomain1.com
>    mail=user1 at hostedDomain1.com
>    mail=user2 at hostedDomain1.com
>    mail=user3 at hostedDomain1.com
>   o=hostedDomain2.net
>    mail=user1 at hostedDomain2.net
>    mail=user2 at hostedDomain2.net
>    mail=user3 at hostedDomain2.net
>   o=hostedDomain3.com
>    ...
>
> I would like to allow any mail user to only read the attributes of the
> users within their domain.  For example, user1 at hostedDomain1.com can see
> user2 at hostedDomain1.com, but not user2 at hostedDomain2.net.
>
> I am not allowing anonymous access.
> I have allowed access to the Domains OU with this aci entry (placed on
> the Domains OU):
>
> aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow
> read access to Domains OU";allow (read,search)
> (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net";);)
>
> I have placed the following macro aci on the Domains OU without success:
>
> aci:
> (targetattr!="userPassword")
> (target="ldap:///($dn),ou=Domains,dc=example,dc=net")
> (version 3.0;acl "Allow read access to Domain members";allow
> (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)
>
>
> As I understand it, the second aci should allow read and search access
> to domain ($dn) and all entries below it.  However, the behavior that
> I'm seeing is that the user can only see down to the domain with no
> access to the sub-entries.  In other words, user1 at hostedDomain1.com can
> see o=hostedDomain1.com,ou=Domains,dc=example,dc=net,  but can not see
> anything below.
>
> Am I missing something? How can I get this to work properly?
>
> Thanks in advance.
>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux