[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL
Fabrice Nouet wrote:
> With your recommandations I tried something else....
> really strange
>
> I have now only one line which is:
>
> access to dn=".*ou=User,o=Right vision" attr=userpassword
> by dn="cn=Thierry,ou=Admin,o=Right Vision" read
> by dn="cn=Fabrice,ou=Admin,o=Right Vision" write
> by * none
If it is the only line, and if default access is none, then no access is given
to the entries under "ou=User,o=Right Vision" except for the password.
>
> I am waiting for the following result:
> - Fabrice has access to write and read all entries below ou=User,o=Right
> Vision
No, here, Fabrice just have write access to userpassword attribute
> - Thierry can read all entries below ou=User,o=Right Vision
No, Thierry can read all userpasswords under "ou=User,o=Right Vision"
> - The other users read all entries below ou=User,o=Right Vision but not the
> userpassword attribut below
They don't have access to the userpassword but for the access to the entries it
depends of the default right access rule
> but when I run the command
>
> ldapsearch -D "cn=Thierry,ou=Admin,o=Right Vision" -w password -b "o=Right
> Vision" "objectclass=*"
>
> I see all entries in my base and not entries below ou=users,...
Of course, Thierry can only read user password and not the entries.
> same comportment for Fabrice
same problem.
> with eric I can see all entries without the userpassword attribut
So, the default access rule must be "defaultaccess read"
>
> It is the same thing when I put a comma like this
>
> access to dn=".*,ou=User,o=Right vision" attr=userpassword ....
>
> Now if I try to add :
>
> defaultaccess none
>
> no entry displayed for all users .....
Because your rules manages access to userpassword attribut and not to the
entries.
Try this :
access to dn=".*,ou=User,o=Right Vision" attr=userpassword
by dn="cn=Thierry,ou=Admin,o=Right Vision" read
by dn="cn=Fabrice,ou=Admin,o=Right Vision" write
by * none
access to dn=".*,ou=User,o=Right Vision"
by dn="cn=Thierry,ou=Admin,o=Right Vision" read
by dn="cn=Fabrice,ou=Admin,o=Right Vision" write
by * read
Perhaps it's not exact, so if one can help me... thanks.
Manu.
- References:
- ACL
- From: "Fabrice Nouet" <f_nouet@hotmail.com>