On Tue, 2018-02-27 at 13:44 +0100, Angel Bosch wrote: > > A better way to write this is: > > > > (targetattr = "mycustomattr")(version 3.0; acl "allow admins > > mycustomattr"; allow (all) groupdn = > > "ldap:///cn=admins,ou=Groups,dc=company,dc=global";;) > > > > That's a better rule. > > > > I've tried this and I still can see the attribute without binding > (anonymous search). > > > here you can see the custom attr imasLocalAdminPass > > dn: > uid=provamaquina01,ou=users,dc=example.net,dc=petratest,dc=proves,dc= > global > imasLocalAdminPass: 12345678test > objectClass: account > objectClass: top > objectClass: posixAccount > objectClass: imasMaquines > uidNumber: 999999 > homeDirectory: /dev/null > gidNumber: 999999 > cn: provamaquina01 > uid: provamaquina01 > entryLevelRights: vn > attributeLevelRights: userPassword:wo, imasLocalAdminPass:rscwo, > objectClass:r > scwo, uidNumber:rscwo, homeDirectory:rscwo, gidNumber:rscwo, > cn:rscwo, uid:r > scwo > >
I need to see the aci's on your server to help more. Can you please send me (either to the list, or directly to my email) the output of: ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H ldaps://<your server> '(aci=*)' aci That well help me answer the question as to what is causing this attribute to be readable, Thanks! > > thanks for your time, william. -- Thanks, William Brown _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
