Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   ACI woes - not doing what I want it to (http://www.linux-archive.org/fedora-directory/398288-aci-woes-not-doing-what-i-want.html)

Rich Megginson 07-12-2010 08:12 PM

ACI woes - not doing what I want it to
 
Anne (juniper) Cross wrote:
> I have this syntactically correct ACI:
>
> (targetattr = "*")
> (targetfilter="(ou=mailrouting-listserver)")
> (version 3.0;acl "Listserver Administrator";allow (all)
> (userdn = "ldap:///uid=listserve,ou=resource accounts,ou=people,dc=itasoftware,dc=com");)
>
> It's set on the ou=mailrouting-listserver,ou=resource accounts,etc,etc branch.
>
> I can authenticate successfully using the uid=listserve account, but I cannot in fact write or change entries in the ou=mailrouting-listserver branch using the account.
>
> What have I missed?
>
Does it work if you remove the
(targetfilter="(ou=mailrouting-listserver) clause?
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"Anne (juniper) Cross" 07-12-2010 08:20 PM

ACI woes - not doing what I want it to
 
----- "Rich Megginson" <rmeggins@redhat.com> wrote:

> Anne (juniper) Cross wrote:
> > I have this syntactically correct ACI:
> >
> > (targetattr = "*")
> > (targetfilter="(ou=mailrouting-listserver)")
> > (version 3.0;acl "Listserver Administrator";allow (all)
> > (userdn = "ldap:///uid=listserve,ou=resource
> accounts,ou=people,dc=itasoftware,dc=com");)
> >
> > It's set on the ou=mailrouting-listserver,ou=resource
> accounts,etc,etc branch.
> >
> > I can authenticate successfully using the uid=listserve account, but
> I cannot in fact write or change entries in the
> ou=mailrouting-listserver branch using the account.
> >
> > What have I missed?
> >
> Does it work if you remove the
> (targetfilter="(ou=mailrouting-listserver) clause?

It does. I'm a bit wary of leaving it like that, but given that it's set on the branch, am I correct in assuming that it will only affect the branch beneath the point it is set?

--
Anne "juniper" Cross
Extropic Crusader, Email Plumber
Information Technology, ITA Software
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Rich Megginson 07-12-2010 08:24 PM

ACI woes - not doing what I want it to
 
Anne (juniper) Cross wrote:
> ----- "Rich Megginson" <rmeggins@redhat.com> wrote:
>
>
>> Anne (juniper) Cross wrote:
>>
>>> I have this syntactically correct ACI:
>>>
>>> (targetattr = "*")
>>> (targetfilter="(ou=mailrouting-listserver)")
>>> (version 3.0;acl "Listserver Administrator";allow (all)
>>> (userdn = "ldap:///uid=listserve,ou=resource
>>>
>> accounts,ou=people,dc=itasoftware,dc=com");)
>>
>>> It's set on the ou=mailrouting-listserver,ou=resource
>>>
>> accounts,etc,etc branch.
>>
>>> I can authenticate successfully using the uid=listserve account, but
>>>
>> I cannot in fact write or change entries in the
>> ou=mailrouting-listserver branch using the account.
>>
>>> What have I missed?
>>>
>>>
>> Does it work if you remove the
>> (targetfilter="(ou=mailrouting-listserver) clause?
>>
>
> It does. I'm a bit wary of leaving it like that, but given that it's set on the branch, am I correct in assuming that it will only affect the branch beneath the point it is set?
>
Correct. In fact, what (targetfilter="(ou=mailrouting-listserver)")
means is "only entries which contain an ou attribute with the value of
mailrouting-listserver". Note that just because the DN contains
"...,ou=mailrouting-listserver,..." does not mean all target entries
contain "ou: mailrouting-listserver"
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

"Anne (juniper) Cross" 07-12-2010 08:26 PM

ACI woes - not doing what I want it to
 
----- "Rich Megginson" <rmeggins@redhat.com> wrote:

> > It does. I'm a bit wary of leaving it like that, but given that
> it's set on the branch, am I correct in assuming that it will only
> affect the branch beneath the point it is set?
> >
> Correct. In fact, what (targetfilter="(ou=mailrouting-listserver)")
> means is "only entries which contain an ou attribute with the value of
>
> mailrouting-listserver". Note that just because the DN contains
> "...,ou=mailrouting-listserver,..." does not mean all target entries
> contain "ou: mailrouting-listserver"

Ahah! Enlightenment. Thanks for your help!

-- juniper

--
Anne "juniper" Cross
Extropic Crusader, Email Plumber
Information Technology, ITA Software
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 12:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.