[Freeipa-users] The ACI reloaded !
Rob Crittenden
rcritten at redhat.com
Mon Jul 12 14:39:41 UTC 2010
ALAHYANE Rachid wrote:
> Hi,
>
> I want to add an ACI to the ldap server with the aci-add and i do not
> how can I do it ?
>
> The aci to add is the following :
>
>
> (targetattr = "friends,blockedfriends,givenName || sn || cn ||
> displayName || title || initials || loginShell || gecos || homePhone ||
> mobile || pager || facsimileTelephoneNumber || telephoneNumber || street
> || roomNumber || l || st || postalCode || manager || secretary ||
> description || carLicense || labeledURI || inetUserHTTPURL || seeAlso ||
> employeeType || businessCategory || ou")(version 3.0;acl "My Self
> service";allow (write) userdn = "ldap:///self";)
The aci plugin can't handle self bind rules yet (I created ticket #80 to
track this).
You can still add this with ldapmodify though.
First you need to replace the comma's in your targetattr with ||, then
you should be able to add it with something like:
ldapmodify -x -D 'cn=directory manager' -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: <your_aci>
^D
>
> Note that I added some new target attributes (also added on the ldap
> schema). The last time, I tried to modify an ACI, the aci entry was
> deleted. It is for this reason that i try to add a new one.
What the aci plugin does in the modify case is delete the old aci and
add a new one. The problem with the plugin wasn't shown until after the
deletion, hence any aci you tried to modify you basically just deleted.
rob
More information about the Freeipa-users
mailing list