[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Fedora-directory-users] Macro ACI not working as expected



I have set up a directory structure as follows:

ou=Domains,dc=example,dc=net
  o=hostedDomain1.com
   mail=user1 hostedDomain1 com
   mail=user2 hostedDomain1 com
   mail=user3 hostedDomain1 com
  o=hostedDomain2.net
   mail=user1 hostedDomain2 net
   mail=user2 hostedDomain2 net
   mail=user3 hostedDomain2 net
  o=hostedDomain3.com
   ...

I would like to allow any mail user to only read the attributes of the
users within their domain.  For example, user1 hostedDomain1 com can see
user2 hostedDomain1 com, but not user2 hostedDomain2 net 

I am not allowing anonymous access.
I have allowed access to the Domains OU with this aci entry (placed on
the Domains OU):

aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow
read access to Domains OU";allow (read,search)
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net";);)

I have placed the following macro aci on the Domains OU without success:

aci: 
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net") 
(version 3.0;acl "Allow read access to Domain members";allow
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)


As I understand it, the second aci should allow read and search access
to domain ($dn) and all entries below it.  However, the behavior that
I'm seeing is that the user can only see down to the domain with no
access to the sub-entries.  In other words, user1 hostedDomain1 com can
see o=hostedDomain1.com,ou=Domains,dc=example,dc=net,  but can not see
anything below.

Am I missing something? How can I get this to work properly?

Thanks in advance.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]