On Tue, 2018-02-27 at 13:44 +0100, Angel Bosch wrote:
A better way to write this is:
(targetattr = "mycustomattr")(version 3.0; acl "allow admins mycustomattr"; allow (all) groupdn = "ldap:///cn=admins,ou=Groups,dc=company,dc=global";)
That's a better rule.
I've tried this and I still can see the attribute without binding (anonymous search).
here you can see the custom attr imasLocalAdminPass
dn: uid=provamaquina01,ou=users,dc=example.net,dc=petratest,dc=proves,dc= global imasLocalAdminPass: 12345678test objectClass: account objectClass: top objectClass: posixAccount objectClass: imasMaquines uidNumber: 999999 homeDirectory: /dev/null gidNumber: 999999 cn: provamaquina01 uid: provamaquina01 entryLevelRights: vn attributeLevelRights: userPassword:wo, imasLocalAdminPass:rscwo, objectClass:r scwo, uidNumber:rscwo, homeDirectory:rscwo, gidNumber:rscwo, cn:rscwo, uid:r scwo
I need to see the aci's on your server to help more. Can you please send me (either to the list, or directly to my email) the output of:
ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H ldaps://<your server> '(aci=*)' aci
That well help me answer the question as to what is causing this attribute to be readable,
Thanks!
thanks for your time, william.