Re: Macro ACI not working as expected

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Dan,

Try enclosing your target in brackets like this:

aci:(targetattr!="userPassword")(target=(($dn),ou=Domains,dc=example,dc=net))(version
3.0;acl "Allow read access to Domain
members";allow(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)

Let me know if that makes a difference.

Gordon

On 11/9/06, Dan <deighton@xxxxxxxxx> wrote:
I have set up a directory structure as follows:

ou=Domains,dc=example,dc=net
  o=hostedDomain1.com
   mail=user1@xxxxxxxxxxxxxxxxx
   mail=user2@xxxxxxxxxxxxxxxxx
   mail=user3@xxxxxxxxxxxxxxxxx
  o=hostedDomain2.net
   mail=user1@xxxxxxxxxxxxxxxxx
   mail=user2@xxxxxxxxxxxxxxxxx
   mail=user3@xxxxxxxxxxxxxxxxx
  o=hostedDomain3.com
   ...

I would like to allow any mail user to only read the attributes of the
users within their domain.  For example, user1@xxxxxxxxxxxxxxxxx can see
user2@xxxxxxxxxxxxxxxxx, but not user2@xxxxxxxxxxxxxxxxxx

I am not allowing anonymous access.
I have allowed access to the Domains OU with this aci entry (placed on
the Domains OU):

aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow
read access to Domains OU";allow (read,search)
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net";);)

I have placed the following macro aci on the Domains OU without success:

aci:
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net")
(version 3.0;acl "Allow read access to Domain members";allow
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)


As I understand it, the second aci should allow read and search access
to domain ($dn) and all entries below it.  However, the behavior that
I'm seeing is that the user can only see down to the domain with no
access to the sub-entries.  In other words, user1@xxxxxxxxxxxxxxxxx can
see o=hostedDomain1.com,ou=Domains,dc=example,dc=net,  but can not see
anything below.

Am I missing something? How can I get this to work properly?

Thanks in advance.




--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux