[389-users] ACI woes - not doing what I want it to
Rich Megginson
rmeggins at redhat.com
Mon Jul 12 20:24:16 UTC 2010
Anne (juniper) Cross wrote:
> ----- "Rich Megginson" <rmeggins at redhat.com> wrote:
>
>
>> Anne (juniper) Cross wrote:
>>
>>> I have this syntactically correct ACI:
>>>
>>> (targetattr = "*")
>>> (targetfilter="(ou=mailrouting-listserver)")
>>> (version 3.0;acl "Listserver Administrator";allow (all)
>>> (userdn = "ldap:///uid=listserve,ou=resource
>>>
>> accounts,ou=people,dc=itasoftware,dc=com");)
>>
>>> It's set on the ou=mailrouting-listserver,ou=resource
>>>
>> accounts,etc,etc branch.
>>
>>> I can authenticate successfully using the uid=listserve account, but
>>>
>> I cannot in fact write or change entries in the
>> ou=mailrouting-listserver branch using the account.
>>
>>> What have I missed?
>>>
>>>
>> Does it work if you remove the
>> (targetfilter="(ou=mailrouting-listserver) clause?
>>
>
> It does. I'm a bit wary of leaving it like that, but given that it's set on the branch, am I correct in assuming that it will only affect the branch beneath the point it is set?
>
Correct. In fact, what (targetfilter="(ou=mailrouting-listserver)")
means is "only entries which contain an ou attribute with the value of
mailrouting-listserver". Note that just because the DN contains
"...,ou=mailrouting-listserver,..." does not mean all target entries
contain "ou: mailrouting-listserver"
More information about the 389-users
mailing list