On 8 Feb 2021, at 19:18, N R <randria.nicolas(a)gmail.com>
wrote:
Hi everyone,
Thanks to Ludwig's indications, I've been able to get the behaviour I
expected, using the filter with this ACI:
(targetattr = "*")
(target = "ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld")
(version 3.0;
acl "Allow only groups members to query this object";
allow (all)
(groupdn =
"ldap:///cn=proxy,ou=Servers,dc=domain,dc=tld??sub?(objectclass=groupofuniquenames)")
;)
Regarding the usage of the "*" joker, I realized I misunderstood the
documentation. I thought it could be used in the groupdn as in the
userdn or the filter.
Thanks to Pierre for helping me clarify this point.
A general thanks to every contributors to this topic who helped me get
through m$y issue.
Best regards,
Cheers
As a final follow up, you may wish to use targetattr = "attr | attr ..." instead
of *. * in targetattr can reveal system-internal types.
See this for more:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
As well, we also do NOT advise the use of != targetattr rules as these can lead to
bypasses.
Hope that helps! Happy to have you using 389-ds :)
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs, Australia