[Fedora-directory-users] ACI to restrict access to sensitive attributes.
Alastair Neil
ajneil at gmail.com
Thu Jul 28 19:59:18 UTC 2005
I am struggling with setting ACIs to restrict access to certain attributes
I would like the employeenumber attribute to be visible only to the user and
only if they are authenticated via sasl gssapi. I have tried several
varients of the following:
(target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu")
(targetattr ="employeeNumber")
(version 3.0;acl "EmployeeNumber";
deny (all) userdn="ldap:///anyone" |
allow (read) userdn="ldap:///self" and authmethod="sasl gssapi";
)
this one seems to deny access regardless of the authmethod or bindbd used.
Anyone got any pointers?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20050728/70db9f82/attachment.html>
More information about the 389-users
mailing list