William, I don't think thatś the way to do that:
additional info: targetattr "objectclass=person" does not exist in schema. Please add attributeTypes "objectclass=person" to schema if necessary (Also tried objectclass=*) This one works: (targetattr!="userPassword")(targetfilter="(|(objectclass=person)(objectclass=organizationalperson)(objectclass=inetOrgPerson)(objectClass=ntUser)(objectClass=eduPerson)(objectClass=brPerson)(objectClass=schacPersonalCharacteristics)(objectClass=pwmUser)(objectClass=inetuser)(objectClass=ntGroup))") but I really need to restrict the attributes for this specific group of users. Couldn find a way to do what I want, maybe I'll have to change the filter. Thanks Alberto Viana On Sun, Sep 27, 2020 at 8:49 PM William Brown <[email protected]> wrote: > > > > On 26 Sep 2020, at 05:43, Alberto Viana <[email protected]> wrote: > > > > Hey Guys, > > > > Is it possible to restrict some users to read,search,compare just > specific attributes but still use objectclass=* as a filter? > > > > My aci: > > aci: (targetattr="uid || givenName || cn || sn || manager || > mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to > specific needed attributes";allow (read,compare,search) > groupdn="ldap:///cn=my-group";;) > > > > If I do a ldapsearch with this user (myuser is in the group my-group): > > > > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana > > > > Returns me the user alberto.viana and the attributes that acis allows > > > > but if I do: > > > > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* > > returns me nothing. > > I think you need objectClass in your targetAttr set. if You can't read the > attribute, you can't do a comparison/filter on it. > > > > > > > > Thanks!! > > > > Alberto Viana > > _______________________________________________ > > 389-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > > — > Sincerely, > > William Brown > > Senior Software Engineer, 389 Directory Server > SUSE Labs, Australia > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
