Hi,
Give IT a try. It should work
aci: (target="ldap:///ou=tenant1,dc=example,dc=com")(targetattr=*)(version 3.0;acl "aci1";allow (read,search) userdn="ldap:///uid=*,ou=tenant1,dc=example,dc=com";)
aci: (target="ldap:///ou=tenant2,dc=example,dc=com")(targetattr=*)(version 3.0;acl "aci2";allow (read,search) userdn="ldap:///uid=*,ou=tenant2,dc=example,dc=com";)
Let me know
Le mar. 27 nov. 2018 à 00:03, Alistair Cunningham <acunningham@xxxxxxxxxxxxx> a écrit :
On 26/11/2018 18:59, Olivier JUDITH wrote:
> Hi,
>
> I'm using the Redhat documentation on this link
> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html-single/plug-in_guide/index
That looks rather complex. It's a real shame that there's no way of
limiting users to the same ou using a regular _expression_ ACL.
> Regards
>
> lun. 26 nov. 2018 à 05:46, Alistair Cunningham
> <acunningham@xxxxxxxxxxxxx <mailto:acunningham@xxxxxxxxxxxxx>> a écrit :
>
> On 25/11/2018 11:44, Olivier JUDITH wrote:
> > From my point of view , the easiest way to solve this is to set
> a search filter on the OU corresponding to the tenant on each phone.
> > Can you modify the software on the phone ?
>
> Unfortunately not. The telephone handset firmware is written by various
> third parties, and we have no access to it.
>
> This would also be insecure. Anyone with the username and password of a
> telephone and who could use an LDAP client such as LDAP search could
> bypass the filter to see all the users in all the tenants (i.e.
> every ou).
>
> > The other way could be by creating a 389 plugin that add a
> filter on the good OU regarding the DN of user which make the call
> to the ldap.
>
> That might be an option. Do you know where I can find documentation on
> how to do this?
>
> --
> Alistair Cunningham
> +1 888 468 3111
> +44 20 799 39 799
> https://enswitch.com/
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
