[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI

To: openldap-software@OpenLDAP.org
Subject: Re: ACI
From: Manuel Guesdon <ml@sbuilders.com>
Date: Fri, 26 Nov 1999 19:03:12 +0000 ( )
In-reply-to: <19991126165320.83060.qmail@hotmail.com>
Organization: Software Builders

Hello,

On Fri, 26 Nov 1999 17:53:20 CET, "Fabrice Nouet" <f_nouet@hotmail.com> wrote:
>| I have a problem when I use two ACI:
>| In my slapd.conf I want to create two ACI
>|  
>| access to dn=".*ou=System,o=RV" by "cn=Alan,ou=System,o=RV" write
>| access to dn=".*ou=System,o=RV" by "cn=Fabrice,ou=System,o=RV" write
>|  
>| In only the first ACI is present I can create a new user with the Alan dn
>| In only the second ACI is present I can create a new user with the Fabrice 
>| dn
>|  
>| But I the two ACIs are present I cannot create a new user with the Fabrice 
>| dn and I can create a user thnaks to the Alan dn
>| 

The 1st ACL who's matching dn (and attributes) is used.

You'd better try:

access to dn=".*ou=System,o=RV" 
	by "cn=Alan,ou=System,o=RV" write
	by "cn=Fabrice,ou=System,o=RV" write

Now, it take this ACL because the dn match and test if you are Alan (if yes, it give you write access), if not , it test
Fabrice. If you aren't Alan nor Fabrice, it take the default access specification.

If you try
access to dn=".*ou=System,o=RV" 
	by "cn=Alan,ou=System,o=RV" write
	by "cn=Fabrice,ou=System,o=RV" write
	by * none

If you are not Alan or Fabrice, you'll have no access to the specified dn, even if you add another ACL after.

Manuel


--
____________________________________________________________________
Manuel GUESDON  -  SOFTWARE BUILDERS        <mguesdon@sbuilders.com>
http://www.sbuilders.com                        PGP Key Id: 12C3E391
PGP Signed/Encrypted mails prefered

References:
- ACI
  - From: "Fabrice Nouet" <f_nouet@hotmail.com>

Prev by Date: Re: Debugging LDAP
Next by Date: Re: Debugging LDAP
Index(es):
- Chronological
- Thread