[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs again



 OK. just checking that I'm on the right track.

 I want the "defaultaccess" on everything except the ou=People subgroup to
be "read". I want anyone that logs in with a password, where they have an
attribute "role=staff" to be able to read all ou=People records, and modify
their own. I also have a user "anonymous" whom I want to give search access
to.

 This is what I thought would do the job:

# Default no access
defaultaccess none
# Give read access to everything in the o=online.ie tree, to everyone 
access to dn="ou=.*,o=online.ie,dc=fv,dc=digiserve,dc=ie"
by * read
# Take away access to everyone for the People tree, except self, role=staff
# and to a logged-in anonymous user.
access to dn=".*,ou=People,o=online.ie,dc=fv,dc=digiserve,dc=ie"
by self write
by role=staff read
by "uid=anonymous,ou=People,o=online.ie,dc=fv,dc=digiserve,dc=ie" search
by * none

Kate

-- 
Microsoft. The best reason in the world to drink beer.
http://www.redbrick.dcu.ie/~valen

Attachment: pgplukKKqHEwe.pgp
Description: PGP signature