Hi everyone,
I'm not an English native speaker, so please forgive me if there's
mistakes in this e-mail.
OS : Fedora 30
389ds version / build number : 1.4.1.14 / 2020.023.2226
I'm struggling with ACI and despite hours of documentation reading, I
don't understand how to make it work as I want.
Basic directory structure
==================
dc=domain,dc=tld
|
+---ou=Servers
|
+---cn=proxy <---- here is where I add the ACI
|
+---cn=group1
|
+---cn=group2
===================
Container "proxy" is a "iphost" object.
I'm trying to allow only members of any group inside "cn=proxy" to
access attributes of "cn=proxy".
Relying on redhat directory server documentation, I've tried the
following ACI which didn't worked the way I wanted:
(targetattr = "*") (target =
"ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld") (version 3.0;acl
"Allow only groups members to query this object";allow (all)(groupdn =
"ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld??sub");)
(targetattr = "*") (target =
"ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld") (version 3.0;acl
"Allow only groups members to query this object";allow (all)(groupdn =
"ldap:///cn=*,cn=proxy,ou=Servers,dc=domain,dc=tld");)
I used informations provided on
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
but I don't understand how to adapt them to my use-case.
The ugly and suboptimal way of solving it would be to list every group
within "cn=proxy" in the ACI, but I'm almost sure there's a better way
to do it.
Thanks in advance for your replies and any possible help.
Cheers,
--
Nicolas Randrianarisoa