> Finn Fysj via FreeIPA-users wrote: > > Seems unlikely that anonymous ACI's would prevent HBAC from working. > Especially ACIs that don't apply to the bound dn. > > These ACIs also apply very broadly across the server. For example, the > user and group ACIs overlap with memberof. You probably want to use a > different subtree, say the user container for the first and last, and > the group container for that one. > > rob Thank you for your resposne, Rob.
I manage to solve this before reading your comment, however, could you please explain to me why it didn't work and why it works now? Looking this through the eyes of the UI: The old solution was using the "Subtree" field with: Subtree: dc=example,dc=com. This was replaced with the use of "Type: User" with attribute: "memerof", and "Type: Group" with attributes: member and memberof for the anonymous group permission. How can this small thing makes such huge difference? (this is very new to me) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue