Ludwig,
Sorry,
After I read again, I understood what he meant, everything is working fine.
Thanks
On Mon, Sep 28, 2020 at 10:23 AM Ludwig Krispenz <krispenz(a)t-online.de>
wrote:
On 28.09.20 14:56, Alberto Viana wrote:
William,
I don't think thatś the way to do that:
additional info: targetattr "objectclass=person" does not exist in schema.
Please add attributeTypes "objectclass=person" to schema if necessary (Also
tried objectclass=*)
what aci did you try ?
what William was saying is that if you use a searchfilter like
"Objectclass=*" you need an aci that gives the user "search" rights
for the
attribute objectclass, so you would have to extend the targetattr in your
original aci from
(targetattr="uid || givenName || cn || sn || manager || mail")
to
(targetattr="objectclass || uid || givenName || cn || sn || manager ||
mail")
or create another aci giving only search rigthts for objectclass
Ludwig
This one works:
(targetattr!="userPassword")(targetfilter="(|(objectclass=person)(objectclass=organizationalperson)(objectclass=inetOrgPerson)(objectClass=ntUser)(objectClass=eduPerson)(objectClass=brPerson)(objectClass=schacPersonalCharacteristics)(objectClass=pwmUser)(objectClass=inetuser)(objectClass=ntGroup))")
but I really need to restrict the attributes for this specific group of
users.
Couldn find a way to do what I want, maybe I'll have to change the filter.
Thanks
Alberto Viana
On Sun, Sep 27, 2020 at 8:49 PM William Brown <wbrown(a)suse.de> wrote:
>
>
> > On 26 Sep 2020, at 05:43, Alberto Viana <albertocrj(a)gmail.com> wrote:
> >
> > Hey Guys,
> >
> > Is it possible to restrict some users to read,search,compare just
> specific attributes but still use objectclass=* as a filter?
> >
> > My aci:
> > aci: (targetattr="uid || givenName || cn || sn || manager ||
> mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access
for app to
> specific needed attributes";allow (read,compare,search) groupdn=
> "ldap:///cn=my-group";)
> >
> > If I do a ldapsearch with this user (myuser is in the group my-group):
> >
> > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser"
uid=alberto.viana
> >
> > Returns me the user alberto.viana and the attributes that acis allows
> >
> > but if I do:
> >
> > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser"
objectclass=*
> > returns me nothing.
>
> I think you need objectClass in your targetAttr set. if You can't read
> the attribute, you can't do a comparison/filter on it.
>
>
> >
> >
> > Thanks!!
> >
> > Alberto Viana
> > _______________________________________________
> > 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>
> —
> Sincerely,
>
> William Brown
>
> Senior Software Engineer, 389 Directory Server
> SUSE Labs, Australia
> _______________________________________________
> 389-users mailing list -- 389-users(a)lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
>
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...