ALAHYANE Rachid wrote:

I want to add an ACI to the ldap server with the aci-add and i do not how can I do it ?

The aci to add is the following :

(targetattr = "friends,blockedfriends,givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "My Self service";allow (write) userdn = "ldap:///self";;)

The aci plugin can't handle self bind rules yet (I created ticket #80 to track this).

You can still add this with ldapmodify though.

First you need to replace the comma's in your targetattr with ||, then you should be able to add it with something like:

ldapmodify -x -D 'cn=directory manager' -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: <your_aci>


Note that I added some new target attributes (also added on the ldap schema). The last time, I tried to modify an ACI, the aci entry was deleted. It is for this reason that i try to add a new one.

What the aci plugin does in the modify case is delete the old aci and add a new one. The problem with the plugin wasn't shown until after the deletion, hence any aci you tried to modify you basically just deleted.


Freeipa-users mailing list

Reply via email to