[389-users] setting up ACLs
Rich Megginson
rmeggins at redhat.com
Mon Oct 10 17:02:05 UTC 2011
On 10/05/2011 08:30 AM, Karoly Czovek wrote:
> Hi there,
>
> i ran into a problem with the ACLs.
> I set up an account, what needed to acquire only certain attributes, i set the following ACL:
>
> (targetattr = "uid || mail || mailHost || accountType || accountStatus || mailAlternateAddress || mailForwardingAddress || mailUserPassword")
> (target = "ldap:///dc=moveone,dc=info")
> (targetfilter = ou=People)
> (version 3.0;
> acl "Email server can lookup some data";
> allow (read,compare,search)
> (userdn = "ldap:///cn=emailServerLookup,ou=People,dc=moveone,dc=info")
> ;)
>
>
>
> but the search is gives back all the attributes, not only the allowed ones.
> What i am miss?
>
>
> the lookup:
>
> ldapsearch -x -LLL -h ds -b ou=People,dc=moveone,dc=info -D "cn=emailServerLookup,ou=People,dc=moveone,dc=info" -w TheSecretPassword uid=karoly.czovek
> dn: uid=karoly.czovek,ou=People,dc=moveone,dc=info
>
Does this aci conflict with the default anonymous search access aci that
allows you to read every attribute except userPassword?
More information about the 389-users
mailing list