Hey Guys,
Is it possible to restrict some users to read,search,compare just specific attributes but still use objectclass=* as a filter?
My aci: aci: (targetattr="uid || givenName || cn || sn || manager || mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";)
If I do a ldapsearch with this user (myuser is in the group my-group):
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana
Returns me the user alberto.viana and the attributes that acis allows
but if I do:
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* returns me nothing.
Thanks!!
Alberto Viana
On 26 Sep 2020, at 05:43, Alberto Viana albertocrj@gmail.com wrote:
Hey Guys,
Is it possible to restrict some users to read,search,compare just specific attributes but still use objectclass=* as a filter?
My aci: aci: (targetattr="uid || givenName || cn || sn || manager || mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";)
If I do a ldapsearch with this user (myuser is in the group my-group):
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana
Returns me the user alberto.viana and the attributes that acis allows
but if I do:
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* returns me nothing.
I think you need objectClass in your targetAttr set. if You can't read the attribute, you can't do a comparison/filter on it.
Thanks!!
Alberto Viana _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia
William,
I don't think thatś the way to do that:
additional info: targetattr "objectclass=person" does not exist in schema. Please add attributeTypes "objectclass=person" to schema if necessary (Also tried objectclass=*)
This one works:
(targetattr!="userPassword")(targetfilter="(|(objectclass=person)(objectclass=organizationalperson)(objectclass=inetOrgPerson)(objectClass=ntUser)(objectClass=eduPerson)(objectClass=brPerson)(objectClass=schacPersonalCharacteristics)(objectClass=pwmUser)(objectClass=inetuser)(objectClass=ntGroup))")
but I really need to restrict the attributes for this specific group of users.
Couldn find a way to do what I want, maybe I'll have to change the filter.
Thanks
Alberto Viana
On Sun, Sep 27, 2020 at 8:49 PM William Brown wbrown@suse.de wrote:
On 26 Sep 2020, at 05:43, Alberto Viana albertocrj@gmail.com wrote:
Hey Guys,
Is it possible to restrict some users to read,search,compare just
specific attributes but still use objectclass=* as a filter?
My aci: aci: (targetattr="uid || givenName || cn || sn || manager ||
mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";)
If I do a ldapsearch with this user (myuser is in the group my-group):
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana
Returns me the user alberto.viana and the attributes that acis allows
but if I do:
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* returns me nothing.
I think you need objectClass in your targetAttr set. if You can't read the attribute, you can't do a comparison/filter on it.
Thanks!!
Alberto Viana _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
On 28.09.20 14:56, Alberto Viana wrote:
William,
I don't think thatś the way to do that:
additional info: targetattr "objectclass=person" does not exist in schema. Please add attributeTypes "objectclass=person" to schema if necessary (Also tried objectclass=*)
what aci did you try ?
what William was saying is that if you use a searchfilter like "Objectclass=*" you need an aci that gives the user "search" rights for the attribute objectclass, so you would have to extend the targetattr in your original aci from
(targetattr="uid || givenName || cn || sn || manager || mail")
to
(targetattr="objectclass || uid || givenName || cn || sn || manager || mail")
or create another aci giving only search rigthts for objectclass
Ludwig
This one works:
(targetattr!="userPassword")(targetfilter="(|(objectclass=person)(objectclass=organizationalperson)(objectclass=inetOrgPerson)(objectClass=ntUser)(objectClass=eduPerson)(objectClass=brPerson)(objectClass=schacPersonalCharacteristics)(objectClass=pwmUser)(objectClass=inetuser)(objectClass=ntGroup))")
but I really need to restrict the attributes for this specific group of users.
Couldn find a way to do what I want, maybe I'll have to change the filter.
Thanks
Alberto Viana
On Sun, Sep 27, 2020 at 8:49 PM William Brown <wbrown@suse.de mailto:wbrown@suse.de> wrote:
> On 26 Sep 2020, at 05:43, Alberto Viana <albertocrj@gmail.com <mailto:albertocrj@gmail.com>> wrote: > > Hey Guys, > > Is it possible to restrict some users to read,search,compare just specific attributes but still use objectclass=* as a filter? > > My aci: > aci: (targetattr="uid || givenName || cn || sn || manager || mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn="ldap:///cn=my-group";) > > If I do a ldapsearch with this user (myuser is in the group my-group): > > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana > > Returns me the user alberto.viana and the attributes that acis allows > > but if I do: > > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* > returns me nothing. I think you need objectClass in your targetAttr set. if You can't read the attribute, you can't do a comparison/filter on it. > > > Thanks!! > > Alberto Viana > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org <mailto:389-users-leave@lists.fedoraproject.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Ludwig,
Sorry,
After I read again, I understood what he meant, everything is working fine.
Thanks
On Mon, Sep 28, 2020 at 10:23 AM Ludwig Krispenz krispenz@t-online.de wrote:
On 28.09.20 14:56, Alberto Viana wrote:
William,
I don't think thatś the way to do that:
additional info: targetattr "objectclass=person" does not exist in schema. Please add attributeTypes "objectclass=person" to schema if necessary (Also tried objectclass=*)
what aci did you try ?
what William was saying is that if you use a searchfilter like "Objectclass=*" you need an aci that gives the user "search" rights for the attribute objectclass, so you would have to extend the targetattr in your original aci from
(targetattr="uid || givenName || cn || sn || manager || mail")
to
(targetattr="objectclass || uid || givenName || cn || sn || manager || mail")
or create another aci giving only search rigthts for objectclass
Ludwig
This one works:
(targetattr!="userPassword")(targetfilter="(|(objectclass=person)(objectclass=organizationalperson)(objectclass=inetOrgPerson)(objectClass=ntUser)(objectClass=eduPerson)(objectClass=brPerson)(objectClass=schacPersonalCharacteristics)(objectClass=pwmUser)(objectClass=inetuser)(objectClass=ntGroup))")
but I really need to restrict the attributes for this specific group of users.
Couldn find a way to do what I want, maybe I'll have to change the filter.
Thanks
Alberto Viana
On Sun, Sep 27, 2020 at 8:49 PM William Brown wbrown@suse.de wrote:
On 26 Sep 2020, at 05:43, Alberto Viana albertocrj@gmail.com wrote:
Hey Guys,
Is it possible to restrict some users to read,search,compare just
specific attributes but still use objectclass=* as a filter?
My aci: aci: (targetattr="uid || givenName || cn || sn || manager ||
mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to specific needed attributes";allow (read,compare,search) groupdn= "ldap:///cn=my-group";)
If I do a ldapsearch with this user (myuser is in the group my-group):
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana
Returns me the user alberto.viana and the attributes that acis allows
but if I do:
ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* returns me nothing.
I think you need objectClass in your targetAttr set. if You can't read the attribute, you can't do a comparison/filter on it.
Thanks!!
Alberto Viana _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs, Australia _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org