On Thu, 2018-02-22 at 12:17 +0100, Angel Bosch wrote:
> I need one specific attribute to be hidden for anyone but one group.
> I've tested this one:
> (targetattr = "myCustomAttr") (version 3.0; acl "deny all but
> admins"; deny (all) groupdn !=
> and seems to work.
> Is this the right way to do it?
A better way to write this is:
(targetattr = "mycustomattr")(version 3.0; acl "allow admins
mycustomattr"; allow (all) groupdn =
That's a better rule.
> Can I face any side effects?
So if you apply the "allow" rather than the deny rule here, and a "non-
admin" user can read mycustomattr, that indicates a bug in your acl's.
I have some posts about this which might help:
This is a very common "anti-pattern" I see, and it creates huge
security issues. If you find with the "allow" version that this is
happening, check your other rules!
Hope that helps,
> 389-users mailing list -- firstname.lastname@example.org
> To unsubscribe send an email to email@example.com
389-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org