directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Felsing <...@felsing.net>
Subject Apache DS ACLs
Date Tue, 03 Sep 2013 13:50:41 GMT
Hello,

now I got DS partially running with ACLs, but following ACL does not
what I expected:

{
    identificationTag "mtaAclElement",
    precedence 0,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses
        {
            name { "cn=mta,dc=ip6,dc=li" }
        }
        ,
        userPermissions
        {
            {
                protectedItems
                {
                    entry,
                    attributeType
                    {
                        tsnetDomainName,
                        tsnetMailHost,
                        uid
                    }
                }
                ,
                grantsAndDenials
                {
                    grantBrowse,
                    grantRead,
                    grantReturnDN,
                    grantCompare
                }
            }
        }
    }
}

This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
uid
tsnetDomainName
tsnetMailHost
and to list all DN entries. A test (temporary allow to list all
attributes) proved that this ACL matches.

but
ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
VerySecretPassword -b "dc=ip6,dc=li"

lists DN entries only:

# pug@felsing.net, freemail, ip6.li
dn: uid=pug@felsing.net,ou=freemail,dc=ip6,dc=li
...

Attributes listed on attributeType are not shown.

Is attributeType the right discriminator?

best regards
Christian

Mime
View raw message