[Fedora-directory-users] ACI to restrict access to sensitive attributes.

Alastair Neil ajneil at gmail.com
Thu Jul 28 19:59:18 UTC 2005

I am struggling with setting ACIs to restrict access to certain attributes
I would like the employeenumber attribute to be visible only to the user and 

only if they are authenticated via sasl gssapi. I have tried several 
varients of the following:

(target = "ldap:///ou=People, dc=ite,dc=gmu,dc=edu") 
(targetattr ="employeeNumber") 
(version 3.0;acl "EmployeeNumber";
deny (all) userdn="ldap:///anyone" |
allow (read) userdn="ldap:///self" and authmethod="sasl gssapi";

this one seems to deny access regardless of the authmethod or bindbd used.

Anyone got any pointers?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050728/70db9f82/attachment.htm>

More information about the Fedora-directory-users mailing list