[389-users] ACI invalid syntax
Rich Megginson
rmeggins at redhat.com
Wed Sep 4 14:21:08 UTC 2013
On 09/04/2013 08:11 AM, Mitja Mihelič wrote:
> Hi!
>
> We are moving our Directory server from CentOS 5 Directory Server to
> CentOS 6 with 389 Directory Server.
>
> Our DIT looks like this:
> dc=example,dc=com
> |- dc=guests,dc=example,dc=com
>
> We would like the users in dc=example,dc=com to have full write
> permissions for their own entries. Users in
> dc=guests,dc=example,dc=com must not have that permission.
>
> For that reason we had the following ACI applied to the
> dc=example,dc=com node:
> (targetattr = "*")
> (target = "ldap:///*@example.com,dc=example, dc=com")
> (version 3.0;
> acl "Write to example.com - self";
> allow (read,compare,search,write)
> (userdn = "ldap:///self")
> ;)
>
> This ACI works on the ol' CentOS 5 and the installed CentOS Directory
> server.
> However the very same ACI cannot be applied in the 389DS on CentOS 6.
> LDAPException: Invalid syntax (21)
>
> How should the ACI be written to work on CentOS 6 389DS?
Use two different ACIs.
On entry dc=example,dc=com have the allow aci for self.
On entry dc=guests,dc=example,dc=com have a deny aci for self.
>
> Kind regards,
> Mitja
>
More information about the 389-users
mailing list