On 31/10/2025 14:54, Mark Reynolds wrote:
>
> Hi Jonathan,
>
> Yes so the issue is that user who is binding does not have read
> permission to shadowExpire. Directory Manager bypasses any aci
> restrictions.
>
> So you need an aci something like this:
>
> dn: ou=people,dc=example,dc=com
> aci:
> (target="ldap:///ou=people,dc=example,dc=com")
> (targetattr="shadowExpire")(version
> 3.0; acl "aci for shadowExpire";
> allow(all) userdn="ldap:///uid=your_user,ou=people,dc=example,dc=com";)
>
I have never dealt with modifying ACI's in LDAP before and I am
obviously doing something wrong. After creating a ldif and trying to
apply I get the following error. I have of course changed the dn from my
actual dn for security reasons
ldap_modify: Invalid syntax (21)
additional info: ACL Syntax
Error(-5):(target=\22ldap:///ou=people,dc=example,dc=com\22)(targetattr=\22shadowExpire\22)(version3.0;
acl \22aci for shadowExpire\22; allow(read)
userdn=\22ldap:///uid=readonly,ou=people,dc=example,dc=com\22;)
This is my ldif between the ###
###
dn: ou=people,dc=example,dc=com
changetype: modify
add: aci
aci:
(target="ldap:///ou=people,dc=example,dc=com")(targetattr="shadowExpire")(version3.0;
acl "aci for shadowExpire"; allow(read)
userdn="ldap:///uid=readonly,ou=people,dc=example,dc=com";)
###
Any ideas what I am doing wrong?
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment