Anne (juniper) Cross wrote: > ----- "Rich Megginson" <rmeggins at redhat.com> wrote: > > >> Anne (juniper) Cross wrote: >> >>> I have this syntactically correct ACI: >>> >>> (targetattr = "*") >>> (targetfilter="(ou=mailrouting-listserver)") >>> (version 3.0;acl "Listserver Administrator";allow (all) >>> (userdn = "ldap:///uid=listserve,ou=resource >>> >> accounts,ou=people,dc=itasoftware,dc=com");) >> >>> It's set on the ou=mailrouting-listserver,ou=resource >>> >> accounts,etc,etc branch. >> >>> I can authenticate successfully using the uid=listserve account, but >>> >> I cannot in fact write or change entries in the >> ou=mailrouting-listserver branch using the account. >> >>> What have I missed? >>> >>> >> Does it work if you remove the >> (targetfilter="(ou=mailrouting-listserver) clause? >> > > It does. I'm a bit wary of leaving it like that, but given that it's set on the branch, am I correct in assuming that it will only affect the branch beneath the point it is set? > Correct. In fact, what (targetfilter="(ou=mailrouting-listserver)") means is "only entries which contain an ou attribute with the value of mailrouting-listserver". Note that just because the DN contains "...,ou=mailrouting-listserver,..." does not mean all target entries contain "ou: mailrouting-listserver"
