Hi, Thanks for quick response in both IRC and forums. Please find the following test ACL policies which am trying to convert. olcAccess: to dn.subtree="dc=test,dc=com" attrs=userPassword by dn.exact="cn=repl,dc=test,dc=com" write by group.exact="cn=DirectoryAdmins,ou=Groups,dc=test,dc=com" write by dn.children="ou=DirectoryAdmins,dc=test,dc=com" write by self write by anonymous auth (( need to find)) by * none I. aci: (target = "ldap:///dc=test,dc=com";)(targetattr = "userPassword")(version 3.0; acl "ACI for userPassword attribute"; allow(write) (userdn = "ldap:///cn=repl,dc=test,dc=com";) OR (groupdn = "ldap:///cn=DirectoryAdmins,ou=Groups,dc=test,dc=com";) OR (groupdn = "ldap:///ou=DirectoryAdmins,dc=test,dc=com";) OR (userdn = "ldap:///self";);) ## TODO: ## read and search opeartions are there need to verify with auth # aci: (targetattr = "userPassword")(version 3.0; acl "Enable only auth for anonymous"; # allow(read, search) userdn= "ldap://anyone";) aci: (targetattr = "userPassword")(version 3.0; acl "Disable for all other users"; deny(all) (userdn= "ldap:///all";);) II. With multiple allow in one rule: aci: (target = "ldap:///dc=test,dc=com";)(targetattr = "userPassword")(version 3.0; acl "ACI for userPassword attribute"; allow(write) (userdn = "ldap:///cn=repl,dc=test,dc=com";); allow(write)(groupdn = "ldap:///cn=DirectoryAdmins,ou=Groups,dc=test,dc=com";); allow(write)(groupdn = "ldap:///ou=DirectoryAdmins,dc=test,dc=com";); allow(write)(userdn = "ldap:///self";);) Kindly can you review and let me know if i am wrong. Thanks & Regards Cooldharma06 _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
