OUD11g - ACI targetattr Not Working as Expected

(Doc ID 2105059.1)

Last updated on MARCH 01, 2018

Applies to:

Oracle Unified Directory - Version and later
Information in this document applies to any platform.


OUD version
Create a custom ACI to restrict an account to read only certain attributes of the users in ODSM. But it doesn't return the entry as expected.

The issue can be reproduced at will with the following steps:
1. Go to ODSM
2. Select Security Tab
3. Expand the Directory ACLs element.
4. Click on create new ACI icon
Set the fields as follow

Detail view
Type                        Operator        Target
Target Attribute     = (Equals)      mail
Access to:
Allow: Read, Search
   Bind Rules
    userdn="ldap:///uid=user.0, ou=People, dc=example, dc=com"

Expected behavior
Be able to restrict a particular account to read only certain attributes of the users

1-Reviewing ACI with ldapsearch

-bash-3.2$ ./ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd.txt -b "dc=example,dc=com" "aci=*" aci
dn: ou=People,dc=example,dc=com
aci: (targetattr = "mail") (version 3.0; acl "testACI"; allow (read,search) userdn = "ldap:///uid=user.0,ou=People,dc=example,dc=com";)

2-Testing and getting no results using "user.0"

-bash-3.2$ ./ldapsearch -h localhost -p 1389 -D "uid=user.0,ou=People,dc=example,dc=com" -j pwd.txt -b "uid=user.1,ou=People,dc=example,dc=com" -s base "(objectclass=*)" mail

3-Changing to admin user "cn=directory manager" getting results

-bash-3.2$ ./ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd.txt -b "uid=user.1,ou=People,dc=example,dc=com" -s base "(objectclass=*)" mail
dn: uid=user.1,ou=People,dc=example,dc=com
mail: user.1@maildomain.net



Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms