On Thu, 2006-11-09 at 15:21 -0500, Dan wrote: > On Thu, 2006-11-09 at 14:19 -0500, Gordon May wrote: > > Hey Dan, > > > > Try enclosing your target in brackets like this: > > > > aci:(targetattr!="userPassword")(target=(($dn),ou=Domains,dc=example,dc=net))(version > > 3.0;acl "Allow read access to Domain > > members";allow(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > > > Let me know if that makes a difference. > > > No Luck. I received a syntax error. As I understand it, the subject of > a target keyword must be of the form "ldap:///distinguished_name";. > > I was able to get this working by using the following aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,[$dn],ou=Domains,dc=example,dc=net";);) I'm not sure why changing from ($dn) to [$dn] in the userdn bind rule fixed the problem, but it did the trick. I think it should have worked either way, but I'm just happy it is ok now. > > > > > > Gordon > > > > On 11/9/06, Dan <deighton at gmail.com> wrote: > > > I have set up a directory structure as follows: > > > > > > ou=Domains,dc=example,dc=net > > > o=hostedDomain1.com > > > mail=user1 at hostedDomain1.com > > > mail=user2 at hostedDomain1.com > > > mail=user3 at hostedDomain1.com > > > o=hostedDomain2.net > > > mail=user1 at hostedDomain2.net > > > mail=user2 at hostedDomain2.net > > > mail=user3 at hostedDomain2.net > > > o=hostedDomain3.com > > > ... > > > > > > I would like to allow any mail user to only read the attributes of the > > > users within their domain. For example, user1 at hostedDomain1.com can see > > > user2 at hostedDomain1.com, but not user2 at hostedDomain2.net. > > > > > > I am not allowing anonymous access. > > > I have allowed access to the Domains OU with this aci entry (placed on > > > the Domains OU): > > > > > > aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow > > > read access to Domains OU";allow (read,search) > > > (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net";);) > > > > > > I have placed the following macro aci on the Domains OU without success: > > > > > > aci: > > > (targetattr!="userPassword") > > > (target="ldap:///($dn),ou=Domains,dc=example,dc=net") > > > (version 3.0;acl "Allow read access to Domain members";allow > > > (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) > > > > > > > > > As I understand it, the second aci should allow read and search access > > > to domain ($dn) and all entries below it. However, the behavior that > > > I'm seeing is that the user can only see down to the domain with no > > > access to the sub-entries. In other words, user1 at hostedDomain1.com can > > > see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see > > > anything below. > > > > > > Am I missing something? How can I get this to work properly? > > > > > > Thanks in advance. > > > > > > > > > > > > > > > -- > > > Fedora-directory-users mailing list > > > Fedora-directory-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
