> On 26 Sep 2020, at 05:43, Alberto Viana <albertocrj@xxxxxxxxx> wrote: > > Hey Guys, > > Is it possible to restrict some users to read,search,compare just specific attributes but still use objectclass=* as a filter? > > My aci: > aci: (targetattr="uid || givenName || cn || sn || manager || mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";;) > > If I do a ldapsearch with this user (myuser is in the group my-group): > > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana > > Returns me the user alberto.viana and the attributes that acis allows > > but if I do: > > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* > returns me nothing. I think you need objectClass in your targetAttr set. if You can't read the attribute, you can't do a comparison/filter on it. > > > Thanks!! > > Alberto Viana > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
