On 31/10/2025 14:54, Mark Reynolds wrote:
Hi Jonathan,
Yes so the issue is that user who is binding does not have read
permission to shadowExpire. Directory Manager bypasses any aci
restrictions.
So you need an aci something like this:
dn: ou=people,dc=example,dc=com
aci:
(target="ldap:///ou=people,dc=example,dc=com";)
(targetattr="shadowExpire")(version
3.0; acl "aci for shadowExpire";
allow(all) userdn="ldap:///uid=your_user,ou=people,dc=example,dc=com";;)
I have never dealt with modifying ACI's in LDAP before and I am
obviously doing something wrong. After creating a ldif and trying to
apply I get the following error. I have of course changed the dn from my
actual dn for security reasons
ldap_modify: Invalid syntax (21)
additional info: ACL Syntax
Error(-5):(target=\22ldap:///ou=people,dc=example,dc=com\22)(targetattr=\22shadowExpire\22)(version3.0;
acl \22aci for shadowExpire\22; allow(read)
userdn=\22ldap:///uid=readonly,ou=people,dc=example,dc=com\22;)
This is my ldif between the ###
###
dn: ou=people,dc=example,dc=com
changetype: modify
add: aci
aci:
(target="ldap:///ou=people,dc=example,dc=com";)(targetattr="shadowExpire")(version3.0;
acl "aci for shadowExpire"; allow(read)
userdn="ldap:///uid=readonly,ou=people,dc=example,dc=com";;)
###
Any ideas what I am doing wrong?
JAB.
--
Jonathan A. Buzzard Tel: +44141-5483420
HPC System Administrator, ARCHIE-WeSt.
University of Strathclyde, John Anderson Building, Glasgow. G4 0NG
--
_______________________________________________
389-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
