On 02/27/2018 01:44 PM, Angel Bosch wrote:
A better way to write this is:
(targetattr = "mycustomattr")(version 3.0; acl "allow admins
mycustomattr"; allow (all) groupdn =
"ldap:///cn=admins,ou=Groups,dc=company,dc=global";;)
That's a better rule.
I've tried this and I still can see the attribute without binding (anonymous
search).
this means you have another aci which allows access for anonymous. The
"deny" method works as the evaluation of the deny acis has precedence
over the allow acis.
But I think what Williams point is, you are fixing specific access and
thene will do it again ... and again. The preferable way is to design
acis based on who should be allowed to do what and anly have explicite
allow rules, and no broad allows which need to get holes punched into by
denys
here you can see the custom attr imasLocalAdminPass
dn: uid=provamaquina01,ou=users,dc=example.net,dc=petratest,dc=proves,dc=global
imasLocalAdminPass: 12345678test
objectClass: account
objectClass: top
objectClass: posixAccount
objectClass: imasMaquines
uidNumber: 999999
homeDirectory: /dev/null
gidNumber: 999999
cn: provamaquina01
uid: provamaquina01
entryLevelRights: vn
attributeLevelRights: userPassword:wo, imasLocalAdminPass:rscwo, objectClass:r
scwo, uidNumber:rscwo, homeDirectory:rscwo, gidNumber:rscwo, cn:rscwo, uid:r
scwo
thanks for your time, william.
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
