|
List Info
Thread: Macro ACI not working as expected
|
|
| Macro ACI not working as expected |
|
2006-11-09 17:51:28 |
I have set up a directory structure as follows:
ou=Domains,dc=example,dc=net
o=hostedDomain1.com
mail=user1 hostedDomain1.com
mail=user2hostedDomain1.com
mail=user3hostedDomain1.com
o=hostedDomain2.net
mail=user1hostedDomain2.net
mail=user2hostedDomain2.net
mail=user3hostedDomain2.net
o=hostedDomain3.com
...
I would like to allow any mail user to only read the
attributes of the
users within their domain. For example, user1hostedDomain1.com can see
user2hostedDomain1.com, but not user2hostedDomain2.net.
I am not allowing anonymous access.
I have allowed access to the Domains OU with this aci entry
(placed on
the Domains OU):
aci: (targetattr=*)(targetfilter=(ou=Domains)) (version
3.0;acl "Allow
read access to Domains OU";allow (read,search)
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=ne
t");)
I have placed the following macro aci on the Domains OU
without success:
aci:
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net&quo
t;)
(version 3.0;acl "Allow read access to Domain
members";allow
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,d
c=example,dc=net");)
As I understand it, the second aci should allow read and
search access
to domain ($dn) and all entries below it. However, the
behavior that
I'm seeing is that the user can only see down to the domain
with no
access to the sub-entries. In other words, user1hostedDomain1.com can
see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but
can not see
anything below.
Am I missing something? How can I get this to work properly?
Thanks in advance.
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| Macro ACI not working as expected |
|
2006-11-09 19:19:18 |
Hey Dan,
Try enclosing your target in brackets like this:
aci:(targetattr!="userPassword")(target=(($dn),ou=
Domains,dc=example,dc=net))(version
3.0;acl "Allow read access to Domain
members";allow(read,search)(userdn="ldap:///mail=*
,($dn),ou=Domains,dc=example,dc=net");)
Let me know if that makes a difference.
Gordon
On 11/9/06, Dan <deightongmail.com> wrote:
> I have set up a directory structure as follows:
>
> ou=Domains,dc=example,dc=net
> o=hostedDomain1.com
> mail=user1hostedDomain1.com
> mail=user2hostedDomain1.com
> mail=user3hostedDomain1.com
> o=hostedDomain2.net
> mail=user1hostedDomain2.net
> mail=user2hostedDomain2.net
> mail=user3hostedDomain2.net
> o=hostedDomain3.com
> ...
>
> I would like to allow any mail user to only read the
attributes of the
> users within their domain. For example, user1hostedDomain1.com can see
> user2hostedDomain1.com, but not user2hostedDomain2.net.
>
> I am not allowing anonymous access.
> I have allowed access to the Domains OU with this aci
entry (placed on
> the Domains OU):
>
> aci: (targetattr=*)(targetfilter=(ou=Domains)) (version
3.0;acl "Allow
> read access to Domains OU";allow (read,search)
>
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=ne
t");)
>
> I have placed the following macro aci on the Domains OU
without success:
>
> aci:
> (targetattr!="userPassword")
>
(target="ldap:///($dn),ou=Domains,dc=example,dc=net&quo
t;)
> (version 3.0;acl "Allow read access to Domain
members";allow
>
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,d
c=example,dc=net");)
>
>
> As I understand it, the second aci should allow read
and search access
> to domain ($dn) and all entries below it. However, the
behavior that
> I'm seeing is that the user can only see down to the
domain with no
> access to the sub-entries. In other words, user1hostedDomain1.com can
> see o=hostedDomain1.com,ou=Domains,dc=example,dc=net,
but can not see
> anything below.
>
> Am I missing something? How can I get this to work
properly?
>
> Thanks in advance.
>
>
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| Macro ACI not working as expected |
|
2006-11-09 20:21:02 |
On Thu, 2006-11-09 at 14:19 -0500, Gordon May wrote:
> Hey Dan,
>
> Try enclosing your target in brackets like this:
>
>
aci:(targetattr!="userPassword")(target=(($dn),ou=
Domains,dc=example,dc=net))(version
> 3.0;acl "Allow read access to Domain
>
members";allow(read,search)(userdn="ldap:///mail=*
,($dn),ou=Domains,dc=example,dc=net");)
>
> Let me know if that makes a difference.
No Luck. I received a syntax error. As I understand it,
the subject of
a target keyword must be of the form
"ldap:///distinguished_name".
>
> Gordon
>
> On 11/9/06, Dan <deightongmail.com> wrote:
> > I have set up a directory structure as follows:
> >
> > ou=Domains,dc=example,dc=net
> > o=hostedDomain1.com
> > mail=user1hostedDomain1.com
> > mail=user2hostedDomain1.com
> > mail=user3hostedDomain1.com
> > o=hostedDomain2.net
> > mail=user1hostedDomain2.net
> > mail=user2hostedDomain2.net
> > mail=user3hostedDomain2.net
> > o=hostedDomain3.com
> > ...
> >
> > I would like to allow any mail user to only read
the attributes of the
> > users within their domain. For example, user1hostedDomain1.com can see
> > user2hostedDomain1.com, but not user2hostedDomain2.net.
> >
> > I am not allowing anonymous access.
> > I have allowed access to the Domains OU with this
aci entry (placed on
> > the Domains OU):
> >
> > aci: (targetattr=*)(targetfilter=(ou=Domains))
(version 3.0;acl "Allow
> > read access to Domains OU";allow
(read,search)
> >
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=ne
t");)
> >
> > I have placed the following macro aci on the
Domains OU without success:
> >
> > aci:
> > (targetattr!="userPassword")
> >
(target="ldap:///($dn),ou=Domains,dc=example,dc=net&quo
t;)
> > (version 3.0;acl "Allow read access to Domain
members";allow
> >
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,d
c=example,dc=net");)
> >
> >
> > As I understand it, the second aci should allow
read and search access
> > to domain ($dn) and all entries below it.
However, the behavior that
> > I'm seeing is that the user can only see down to
the domain with no
> > access to the sub-entries. In other words,
user1hostedDomain1.com can
> > see
o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can
not see
> > anything below.
> >
> > Am I missing something? How can I get this to work
properly?
> >
> > Thanks in advance.
> >
> >
> >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-usersredhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
> >
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
| Macro ACI not working as expected |
|
2006-11-10 18:53:53 |
On Thu, 2006-11-09 at 15:21 -0500, Dan wrote:
> On Thu, 2006-11-09 at 14:19 -0500, Gordon May wrote:
> > Hey Dan,
> >
> > Try enclosing your target in brackets like this:
> >
> >
aci:(targetattr!="userPassword")(target=(($dn),ou=
Domains,dc=example,dc=net))(version
> > 3.0;acl "Allow read access to Domain
> >
members";allow(read,search)(userdn="ldap:///mail=*
,($dn),ou=Domains,dc=example,dc=net");)
> >
> > Let me know if that makes a difference.
>
>
> No Luck. I received a syntax error. As I understand
it, the subject of
> a target keyword must be of the form
"ldap:///distinguished_name".
>
>
I was able to get this working by using the following aci:
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net&quo
t;)
(version 3.0;acl "Allow read access to Domain
members";allow
(read,search)(userdn="ldap:///mail=*,[$dn],ou=Domains,d
c=example,dc=net");)
I'm not sure why changing from ($dn) to [$dn] in the userdn
bind rule
fixed the problem, but it did the trick. I think it should
have worked
either way, but I'm just happy it is ok now.
>
>
> >
> > Gordon
> >
> > On 11/9/06, Dan <deightongmail.com> wrote:
> > > I have set up a directory structure as
follows:
> > >
> > > ou=Domains,dc=example,dc=net
> > > o=hostedDomain1.com
> > > mail=user1hostedDomain1.com
> > > mail=user2hostedDomain1.com
> > > mail=user3hostedDomain1.com
> > > o=hostedDomain2.net
> > > mail=user1hostedDomain2.net
> > > mail=user2hostedDomain2.net
> > > mail=user3hostedDomain2.net
> > > o=hostedDomain3.com
> > > ...
> > >
> > > I would like to allow any mail user to only
read the attributes of the
> > > users within their domain. For example,
user1hostedDomain1.com can see
> > > user2hostedDomain1.com, but not user2hostedDomain2.net.
> > >
> > > I am not allowing anonymous access.
> > > I have allowed access to the Domains OU with
this aci entry (placed on
> > > the Domains OU):
> > >
> > > aci:
(targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl
"Allow
> > > read access to Domains OU";allow
(read,search)
> > >
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=ne
t");)
> > >
> > > I have placed the following macro aci on the
Domains OU without success:
> > >
> > > aci:
> > > (targetattr!="userPassword")
> > >
(target="ldap:///($dn),ou=Domains,dc=example,dc=net&quo
t;)
> > > (version 3.0;acl "Allow read access to
Domain members";allow
> > >
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,d
c=example,dc=net");)
> > >
> > >
> > > As I understand it, the second aci should
allow read and search access
> > > to domain ($dn) and all entries below it.
However, the behavior that
> > > I'm seeing is that the user can only see down
to the domain with no
> > > access to the sub-entries. In other words,
user1hostedDomain1.com can
> > > see
o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can
not see
> > > anything below.
> > >
> > > Am I missing something? How can I get this to
work properly?
> > >
> > > Thanks in advance.
> > >
> > >
> > >
> > >
> > > --
> > > Fedora-directory-users mailing list
> > > Fedora-directory-usersredhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
> > >
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-usersredhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-usersredhat.com
> https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
--
Fedora-directory-users mailing list
Fedora-directory-usersredhat.com
https://www.redhat.com/mailman/listinfo/fedora-dir
ectory-users
|
|
[1-4]
|
|