On 09/04/2013 04:30 PM, Ludwig Krispenz wrote:
On 09/04/2013 04:11 PM, Mitja Mihelič wrote:
Hi!
We are moving our Directory server from CentOS 5 Directory Server to
CentOS 6 with 389 Directory Server.
Our DIT looks like this:
dc=example,dc=com
|- dc=guests,dc=example,dc=com
We would like the users in dc=example,dc=com to have full write
permissions for their own entries. Users in
dc=guests,dc=example,dc=com must not have that permission.
For that reason we had the following ACI applied to the
dc=example,dc=com node:
(targetattr = "*")
(target = "ldap:///*@example.com,dc=example, dc=com")
(version 3.0;
acl "Write to example.com - self";
allow (read,compare,search,write)
(userdn = "ldap:///self";)
;)
This ACI works on the ol' CentOS 5 and the installed CentOS Directory
server.
However the very same ACI cannot be applied in the 389DS on CentOS 6.
LDAPException: Invalid syntax (21)
maybe dn parsing is strict, try to remove the space in "dc=example,
dc=com"
Removing the space did not make a difference.
How should the ACI be written to work on CentOS 6 389DS?
you could also try
(target != "ldap:///dc=guests,dc=example,dc=com";)
I have decided to go with the explicit deny for write.
Kind regards,
Mitja
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
