Ludwig, Sorry,
After I read again, I understood what he meant, everything is working fine. Thanks On Mon, Sep 28, 2020 at 10:23 AM Ludwig Krispenz <[email protected]> wrote: > > On 28.09.20 14:56, Alberto Viana wrote: > > William, > > I don't think thatś the way to do that: > > additional info: targetattr "objectclass=person" does not exist in schema. > Please add attributeTypes "objectclass=person" to schema if necessary (Also > tried objectclass=*) > > what aci did you try ? > > what William was saying is that if you use a searchfilter like > "Objectclass=*" you need an aci that gives the user "search" rights for the > attribute objectclass, so you would have to extend the targetattr in your > original aci from > > (targetattr="uid || givenName || cn || sn || manager || mail") > > to > > (targetattr="objectclass || uid || givenName || cn || sn || manager || > mail") > > > or create another aci giving only search rigthts for objectclass > > > Ludwig > > > This one works: > > > (targetattr!="userPassword")(targetfilter="(|(objectclass=person)(objectclass=organizationalperson)(objectclass=inetOrgPerson)(objectClass=ntUser)(objectClass=eduPerson)(objectClass=brPerson)(objectClass=schacPersonalCharacteristics)(objectClass=pwmUser)(objectClass=inetuser)(objectClass=ntGroup))") > > but I really need to restrict the attributes for this specific group of > users. > > Couldn find a way to do what I want, maybe I'll have to change the filter. > > Thanks > > Alberto Viana > > On Sun, Sep 27, 2020 at 8:49 PM William Brown <[email protected]> wrote: > >> >> >> > On 26 Sep 2020, at 05:43, Alberto Viana <[email protected]> wrote: >> > >> > Hey Guys, >> > >> > Is it possible to restrict some users to read,search,compare just >> specific attributes but still use objectclass=* as a filter? >> > >> > My aci: >> > aci: (targetattr="uid || givenName || cn || sn || manager || >> mail")(targetfilter="(objectclass=*)")(version 3.0;aci "Access for app to >> specific needed attributes";allow (read,compare,search) groupdn= >> "ldap:///cn=my-group";;) >> > >> > If I do a ldapsearch with this user (myuser is in the group my-group): >> > >> > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" uid=alberto.viana >> > >> > Returns me the user alberto.viana and the attributes that acis allows >> > >> > but if I do: >> > >> > ldapsearch -b "dc=rnp,dc=local" -W -D "uid=myuser" objectclass=* >> > returns me nothing. >> >> I think you need objectClass in your targetAttr set. if You can't read >> the attribute, you can't do a comparison/filter on it. >> >> >> > >> > >> > Thanks!! >> > >> > Alberto Viana >> > _______________________________________________ >> > 389-users mailing list -- [email protected] >> > To unsubscribe send an email to [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected] >> >> — >> Sincerely, >> >> William Brown >> >> Senior Software Engineer, 389 Directory Server >> SUSE Labs, Australia >> _______________________________________________ >> 389-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected] >> > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] >
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
