I have set up a directory structure as follows: ou=Domains,dc=example,dc=net o=hostedDomain1.com [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] o=hostedDomain2.net [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] o=hostedDomain3.com ...
I would like to allow any mail user to only read the attributes of the users within their domain. For example, [EMAIL PROTECTED] can see [EMAIL PROTECTED], but not [EMAIL PROTECTED] I am not allowing anonymous access. I have allowed access to the Domains OU with this aci entry (placed on the Domains OU): aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow read access to Domains OU";allow (read,search) (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net";);) I have placed the following macro aci on the Domains OU without success: aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) As I understand it, the second aci should allow read and search access to domain ($dn) and all entries below it. However, the behavior that I'm seeing is that the user can only see down to the domain with no access to the sub-entries. In other words, [EMAIL PROTECTED] can see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see anything below. Am I missing something? How can I get this to work properly? Thanks in advance. -- Fedora-directory-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/fedora-directory-users
