> On 8 Feb 2021, at 19:18, N R <randria.nicolas@xxxxxxxxx> wrote: > > Hi everyone, > > Thanks to Ludwig's indications, I've been able to get the behaviour I > expected, using the filter with this ACI: > (targetattr = "*") > (target = "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld";) > (version 3.0; > acl "Allow only groups members to query this object"; > allow (all) > (groupdn = "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld??sub?(objectclass=groupofuniquenames)") > ;) > > Regarding the usage of the "*" joker, I realized I misunderstood the > documentation. I thought it could be used in the groupdn as in the > userdn or the filter. > Thanks to Pierre for helping me clarify this point. > > A general thanks to every contributors to this topic who helped me get > through m$y issue. > > Best regards, > Cheers > As a final follow up, you may wish to use targetattr = "attr | attr ..." instead of *. * in targetattr can reveal system-internal types. See this for more: https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/defining_targets#targeting_attributes As well, we also do NOT advise the use of != targetattr rules as these can lead to bypasses. Hope that helps! Happy to have you using 389-ds :) — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
