which version are you using?
On Tue, Sep 3, 2013 at 7:20 PM, Christian Felsing <[email protected]> wrote: > Hello, > > now I got DS partially running with ACLs, but following ACL does not > what I expected: > > { > identificationTag "mtaAclElement", > precedence 0, > authenticationLevel simple, > itemOrUserFirst userFirst: > { > userClasses > { > name { "cn=mta,dc=ip6,dc=li" } > } > , > userPermissions > { > { > protectedItems > { > entry, > attributeType > { > tsnetDomainName, > tsnetMailHost, > uid > } > } > , > grantsAndDenials > { > grantBrowse, > grantRead, > grantReturnDN, > grantCompare > } > } > } > } > } > > This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes > uid > tsnetDomainName > tsnetMailHost > and to list all DN entries. A test (temporary allow to list all > attributes) proved that this ACL matches. > > but > ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w > VerySecretPassword -b "dc=ip6,dc=li" > > lists DN entries only: > > # [email protected], freemail, ip6.li > dn: [email protected],ou=freemail,dc=ip6,dc=li > ... > > Attributes listed on attributeType are not shown. > > Is attributeType the right discriminator? > > best regards > Christian > -- Kiran Ayyagari http://keydap.com
