On Tue, 2018-02-27 at 13:44 +0100, Angel Bosch wrote:
> A better way to write this is:
>
> (targetattr = "mycustomattr")(version 3.0; acl "allow admins
> mycustomattr"; allow (all) groupdn =
> "ldap:///cn=admins,ou=Groups,dc=company,dc=global";)
>
> That's a better rule.
>
I've tried this and I still can see the attribute without binding
(anonymous search).
here you can see the custom attr imasLocalAdminPass
dn:
uid=provamaquina01,ou=users,dc=example.net,dc=petratest,dc=proves,dc=
global
imasLocalAdminPass: 12345678test
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: imasMaquines
uidNumber: 999999
homeDirectory: /dev/null
gidNumber: 999999
cn: provamaquina01
uid: provamaquina01
entryLevelRights: vn
attributeLevelRights: userPassword:wo, imasLocalAdminPass:rscwo,
objectClass:r
scwo, uidNumber:rscwo, homeDirectory:rscwo, gidNumber:rscwo,
cn:rscwo, uid:r
scwo
I need to see the aci's on your server to help more. Can you please
send me (either to the list, or directly to my email) the output of:
ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H
ldaps://<your server> '(aci=*)' aci
That well help me answer the question as to what is causing this
attribute to be readable,
Thanks!
thanks for your time, william.
--
Thanks,
William Brown