Ludwig/William,
So I just have a wild guess. I think you anonymized the aci for this post using "test-user" and "dc=my,dc=domain". could you verify that you haven't a typo in the real aci for the userdn ?
As a follow up, please don't use targetattr!=userPassword. This exposes
a *lot* of internal system attributes to the user object in question.
It's much better if you limit this to just the attributes required like:
=> Thanks for the tip, I will do that.
So I just have a wild guess. I think you anonymized the aci for this post using "test-user" and "dc=my,dc=domain". could you verify that you haven't a typo in the real aci for the userdn ?
=> You were right, there was a typo in my userdn, now everything is working as expected.
Thanks a lot for you both.
Thanks a lot for you both.
Cheers,
Alberto Viana
On Thu, Sep 7, 2017 at 5:30 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote:
it is, and it works for me. The ( ) around the bind rule are not required.
On 09/07/2017 02:25 AM, William Brown wrote:
On Wed, 2017-09-06 at 16:55 -0300, Alberto Viana wrote:Hi Folks, 389-Directory/1.3.7.3.20170901gite67788a B2017.244.1727 I'm trying to give a specific read/search/compare permissions to an user in a sub OU in my tree. I deleted the default ACI "anonymous access" (For tests purposes) I'm tried the following ACIs: OU scope: dn: OU=pop-ac,ou=pops,dc=my,dc= domain changetype: modify add: aci aci: (targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC Permissions";allow (read,search,compare) userdn="ldap:///uid=my-test- user,ou=aplicacoes,dc=my,dc= ;) Log: 06/Sep/2017:16:15:32.427750186 -0300] - DEBUG - NSACLPlugin - print_access_control_summary - conn=47 op=1 (main): Deny search on entry(uid=rodrigo.nonato,ou=domain" pop-ac,ou=pops,dc=my,dc= domain).attr(objectClass) to uid=my-test-user,ou= aplicacoes,dc=my,dc=domain: no aci matched the subject by aci(242): aciname= "SIE Group", acidn="dc=my,dc=domain" => SIE Group is one of the default 389 ACIs. or Whole domain scope: dn: dc=my,dc=domain changetype: modify add: aci aci: (target="ldap:///OU=pop-ac,ou= pops,dc=my,dc=domain" )(targetattr!="userPassword") (version 3.0;acl "All attributes PoP-AC Permissions";allow (read,search,compare) userdn="ldap:///uid=my-test- user,ou=aplicacoes,dc=my,dc= ;) Log: [06/Sep/2017:16:41:33.domain" 824679480 -0300] - DEBUG - NSACLPlugin - print_access_control_summary - conn=50 op=1 (main): Deny search on entry(uid=rodrigo.nonato,ou= pop-ac,ou=pops,dc=my,dc= domain).attr(objectClass) to uid=my-test-user,ou= aplicacoes,dc=my,dc=domain: no aci matched the subject by aci(253): aciname= "All attributes PoP-AC Permissions", acidn="dc=my,dc=domain" What I need: An user that has no other rights on my tree to read/search all attributes/users on an specific OU. Is that possible? What am I missing? So the aci guide is really long: we've been working to improve it lately to help with common aci questions like this so this is a great place to start: https://access.redhat.com/documentation/en-us/red_hat_ So the aci you have here:directory_server/10/html/ administration_guide/managing_ access_control dn: OU=pop-ac,ou=pops,dc=my,dc=domain changetype: modify add: aci aci: (targetattr!="userPassword") (version 3.0;acl "All attributes PoP-ACPermissions";allow (read,search,compare) userdn="ldap:///uid=my-test-user,ou=aplicacoes,dc=my,dc= ;)domain" Should be the correct one.
So I just have a wild guess. I think you anonymized the aci for this post using "test-user" and "dc=my,dc=domain". could you verify that you haven't a typo in the real aci for the userdn ?
My guess is the that the aci should be: (targetattr!="userPassword")(version 3.0;acl "All attributes PoP-AC Permissions"; allow (read,search,compare)(userdn=" ldap:///uid=my-test-user,ou= );) The change is the parens around the userdn. This should be on the OU=pop-ac,ou=pops,dc=my,dc=aplicacoes,dc=my,dc=domain" domain object. As well, you may need to start your query basedn at OU=pop-ac,ou=pops,dc=my,dc= domain rather than dc=my,dc=domain too. As a follow up, please don't use targetattr!=userPassword. This exposes a *lot* of internal system attributes to the user object in question. It's much better if you limit this to just the attributes required like: aci: (targetattr="objectClass || nsUniqueId || uid || displayName || loginShel l || uidNumber || gidNumber || gecos || homeDirectory || givenName || cn || m emberOf || mail || sshPublicKey || nsAccountLock || userCertificate")( target ="ldap:///uid=*,ou=People,dc= blackhats,dc=net,dc=au" )(targetfilter="(&(objec tClass=account)(objectClass=person)(objectClass= posixaccount))")(version 3.0; acl "Enable anonymous partial user read"; allow (read, search, compare)(user dn="ldap:///anyone");) Hope that helps a little bit. Thanks Cheers, Alberto Viana _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject. org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject. org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
-- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
