> On 8 Feb 2021, at 19:18, N R <randria.nicolas@gmail.com> wrote:
>
> Hi everyone,
>
> Thanks to Ludwig's indications, I've been able to get the behaviour I
> expected, using the filter with this ACI:
> (targetattr = "*")
> (target = "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld")
> (version 3.0;
> acl "Allow only groups members to query this object";
> allow (all)
> (groupdn = "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld??sub?(objectclass=groupofuniquenames)")
> ;)
>
> Regarding the usage of the "*" joker, I realized I misunderstood the
> documentation. I thought it could be used in the groupdn as in the
> userdn or the filter.
> Thanks to Pierre for helping me clarify this point.
>
> A general thanks to every contributors to this topic who helped me get
> through m$y issue.
>
> Best regards,
> Cheers
>
As a final follow up, you may wish to use targetattr = "attr | attr ..." instead of *. * in targetattr can reveal system-internal types.
See this for more:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/defining_targets#targeting_attributes
As well, we also do NOT advise the use of != targetattr rules as these can lead to bypasses.
Hope that helps! Happy to have you using 389-ds :)
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
No comments:
Post a Comment