Hi Folks,
389-Directory/1.3.7.3.20170901gite67788a B2017.244.1727
I'm trying to give a specific read/search/compare permissions to an user in a sub OU in my tree.
I deleted the default ACI "anonymous access" (For tests purposes)
I'm tried the following ACIs:
OU scope:
dn: OU=pop-ac,ou=pops,dc=my,dc=domain
changetype: modify
add: aci
aci: (targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC Permissions";allow (read,search,compare) userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";)
Log:
06/Sep/2017:16:15:32.427750186 -0300] - DEBUG - NSACLPlugin - print_access_control_summary - conn=47 op=1 (main): Deny search on entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass) to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the subject by aci(242): aciname= "SIE Group", acidn="dc=my,dc=domain"
=> SIE Group is one of the default 389 ACIs.
or
Whole domain scope:
dn: dc=my,dc=domain
changetype: modify
add: aci
aci: (target="ldap:///OU=pop-ac,ou=pops,dc=my,dc=domain")(targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC Permissions";allow (read,search,compare) userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc=domain";)
Log:
[06/Sep/2017:16:41:33.824679480 -0300] - DEBUG - NSACLPlugin - print_access_control_summary - conn=50 op=1 (main): Deny search on entry(uid=rodrigo.nonato,ou=pop-ac,ou=pops,dc=my,dc=domain).attr(objectClass) to uid=my-test-user,ou=aplicacoes,dc=my,dc=domain: no aci matched the subject by aci(253): aciname= "All attributes PoP-AC Permissions", acidn="dc=my,dc=domain"
What I need: An user that has no other rights on my tree to read/search all attributes/users on an specific OU.
Is that possible? What am I missing?
Thanks
Cheers,
Alberto Viana
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
