Hi guys, I am trying to create an organizational unit and an user with ACI, but it looks like my ACI is not defined correctly. Below is my ldif. dn: ou=serviceaccounts,dc=test,dc=example,dc=com changetype: add objectclass: top objectclass: organizationalunit aci: (targetattr = "*") (version 3.0; acl "default aci for service accounts"; allow (all) (userdn="ldap:///anyone";) ;) dn: cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com changetype: add objectclass: top objectclass: person sn: tscei.obs userPassword: testing123 description: This is a test aci: (targetattr = "*") (version 3.0; acl "user1"; deny (all) (userdn="ldap:///self";) ;) I create an organizational unit that allows all users to modify it, then I create user1 that denies everything. I then use the below LDIF to perform a LDAP add operation. dn: cn=testing123,cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com changetype: add objectclass: top objectclass: room I use this ldapmodify command to perform the add operation ldapmodify -h hostname -p 1389 -D "cn=user1,ou=serviceaccounts,dc=test,dc=example,dc=com" -w testing123 -f my_test.ldif -x The add operation succeeded unexpectedly. The result that I'm looking for should be not enough privilege to perform add operation. Anyone knows what's wrong with my ACI setup? Thanks! David -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20071207/6f766a04/attachment.html
