> On 26 Sep 2020, at 05:43, Alberto Viana <albertocrj@gmail.com> wrote:
>
> Hey Guys,
>
> Is it possible to restrict some users to read,search,compare just specific attributes but still use objectclass=* as a filter?
>
> My aci:
> aci: (targetattr="uid || givenName || cn || sn || manager || mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";)
>
> If I do a ldapsearch with this user (myuser is in the group my-group):
>
> ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana
>
> Returns me the user alberto.viana and the attributes that acis allows
>
> but if I do:
>
> ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=*
> returns me nothing.
I think you need objectClass in your targetAttr set. if You can't read the attribute, you can't do a comparison/filter on it.
>
>
> Thanks!!
>
> Alberto Viana
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment