OUD11g - ACI targetattr Not Working as Expected (Doc ID 2105059.1)

Last updated on FEBRUARY 10, 2016

Applies to:

Oracle Unified Directory - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms

OUD 11.1.2.2.0 version
Create a custom ACI to restrict an account to read only certain attributes of the users in ODSM. But it doesn't return the entry as expected.

The issue can be reproduced at will with the following steps:
1. Go to ODSM
2. Select Security Tab
3. Expand the Directory ACLs element.
4. Click on create new ACI icon
Set the fields as follow

Detail view
Targets
Type                        Operator        Target
Target Attribute     = (Equals)      mail
Permissions
Access to:
Allow: Read, Search
   Bind Rules
    userdn="ldap:///uid=user.0, ou=People, dc=example, dc=com"


Expected behavior
Be able to restrict a particular account to read only certain attributes of the users

1-Reviewing ACI with ldapsearch

-bash-3.2$ ./ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd.txt -b "dc=example,dc=com" "aci=*" aci
dn: ou=People,dc=example,dc=com
aci: (targetattr = "mail") (version 3.0; acl "testACI"; allow (read,search) userdn = "ldap:///uid=user.0,ou=People,dc=example,dc=com";)

2-Testing and getting no results using "user.0"

-bash-3.2$ ./ldapsearch -h localhost -p 1389 -D "uid=user.0,ou=People,dc=example,dc=com" -j pwd.txt -b "uid=user.1,ou=People,dc=example,dc=com" -s base "(objectclass=*)" mail

3-Changing to admin user "cn=directory manager" getting results

-bash-3.2$ ./ldapsearch -h localhost -p 1389 -D "cn=directory manager" -j pwd.txt -b "uid=user.1,ou=People,dc=example,dc=com" -s base "(objectclass=*)" mail
dn: uid=user.1,ou=People,dc=example,dc=com
mail: user.1@maildomain.net

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms