[Fedora-directory-users] Macro ACI not working as expected
Dan
deighton at gmail.com
Thu Nov 9 17:51:28 UTC 2006
I have set up a directory structure as follows:
ou=Domains,dc=example,dc=net
o=hostedDomain1.com
mail=user1 at hostedDomain1.com
mail=user2 at hostedDomain1.com
mail=user3 at hostedDomain1.com
o=hostedDomain2.net
mail=user1 at hostedDomain2.net
mail=user2 at hostedDomain2.net
mail=user3 at hostedDomain2.net
o=hostedDomain3.com
...
I would like to allow any mail user to only read the attributes of the
users within their domain. For example, user1 at hostedDomain1.com can see
user2 at hostedDomain1.com, but not user2 at hostedDomain2.net.
I am not allowing anonymous access.
I have allowed access to the Domains OU with this aci entry (placed on
the Domains OU):
aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow
read access to Domains OU";allow (read,search)
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");)
I have placed the following macro aci on the Domains OU without success:
aci:
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net")
(version 3.0;acl "Allow read access to Domain members";allow
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)
As I understand it, the second aci should allow read and search access
to domain ($dn) and all entries below it. However, the behavior that
I'm seeing is that the user can only see down to the domain with no
access to the sub-entries. In other words, user1 at hostedDomain1.com can
see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see
anything below.
Am I missing something? How can I get this to work properly?
Thanks in advance.
More information about the 389-users
mailing list