On Thu, 2017-06-22 at 13:45 +0200, Ludwig Krispenz wrote: > Hi, > > 389-ds has an access control mechanism which allows fine grained access > to entries, attributes for different types of operation and based on > various criteria like d,n group membership, role,.... and you should get > familiar with the basics before just adding specific acis: > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control > > for your specific request you could do something like: > > dn: l=kranj,c=si > aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all ) > userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";;) > > not that in 389-ds acis have to be placed at the top of the subtree they > should apply > Another tip is to always use targetattr = "attr ...." rather than targetattr !=. != causes lots of problems, it's better to be explicit in what is allowed. -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
