Hello,
now I got DS partially running with ACLs, but following ACL does not
what I expected:
{
identificationTag "mtaAclElement",
precedence 0,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "cn=mta,dc=ip6,dc=li" }
}
,
userPermissions
{
{
protectedItems
{
entry,
attributeType
{
tsnetDomainName,
tsnetMailHost,
uid
}
}
,
grantsAndDenials
{
grantBrowse,
grantRead,
grantReturnDN,
grantCompare
}
}
}
}
}
This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
uid
tsnetDomainName
tsnetMailHost
and to list all DN entries. A test (temporary allow to list all
attributes) proved that this ACL matches.
but
ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
VerySecretPassword -b "dc=ip6,dc=li"
lists DN entries only:
# [email protected], freemail, ip6.li
dn: [email protected],ou=freemail,dc=ip6,dc=li
...
Attributes listed on attributeType are not shown.
Is attributeType the right discriminator?
best regards
Christian
