Hello, all. This post is a follow up to an IRC chat with Rich Megginson and others. Rich, I did not report the problem as a bug because upon several more hours of testing, it does not appear to be a conflict between userdn and roledn permissions. Rather, it appears to be a wildcard globbing issue. To bring the everyone else up to speed, in a multi-tenant environment, we have an allow ACI to permit clients to administer their own portion of the tree. However, their portions of the tree also contain some system type accounts used to by the host to enable certain client functions. These should not be viewable by the client admins so there is an ACI to deny access to these. We also want to use macros to create a single ACI at the root which will apply to all clients rather than creating ACIs for each client. To grant client access, we create a role at the top of their tree named ldapadmins and assign it to the appropriate client admins. We create a root level ACI as follows: (targetattr = "*") (target = "ldap:///($dn),dc=ssiservices, dc=biz") (version 3.0;acl "Client Administrators";allow (all)(roledn = "ldap:///cn=ldapadmins,[$dn],dc=ssiservices,dc=biz");) It works fine. The tree looks something like this: root /com /client1 /Users /Internal /Contacts /SysAccounts No one would have access to SysAccounts except client ldapadmins from the above ACI. We don't want that so we create the following ACI to deny access to SysAccounts: (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*,ou=users,[$dn],dc=ssiservices,dc=biz");) We had contemplated (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*[$dn],dc=ssiservices,dc=biz");) but did not want to take the chance that the SysAccounts uses could not see themselves. Let's say we have a client admin at uid=terry,ou=internal,ou=users,dc=client1,dc=com,dc=ssiservices,dc=biz. The * after uid and with no comma before ou=users should match anything in users including "uid=terry,ou=internal,". It doesn't. The deny rule is not applied to Terry. If I change the ACI to: (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*ou=internal,ou=users,[$dn],dc=ssiservices,dc=biz");) it still fails. However, if I change it to: (targetattr = "*") (target = "ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl "Protect sysaccounts";deny (all)(userdn = "ldap:///uid=*,ou=internal,ou=users,[$dn],dc=ssiservices,dc=biz");) it works. The deny matches Terry and is enforced. This seems to be an explicit contradiction of the documentation. http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html#Bind_Rules-Defining_User_Access___userdn_Keyword userdn = "ldap:///uid=*,dc=example,dc=com"; The bind rule is evaluated to be true if the user binds to the directory using any distinguished name of the specified pattern. For example, both of the following bind DNs would be evaluated to be true: uid=ssarette,dc=example,dc=com uid=tjaz,ou=Accounting,dc=example,dc=com Are we doing something wrong or is this just a mismatch between code and docs? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users