OK. just checking that I'm on the right track. I want the "defaultaccess" on everything except the ou=People subgroup to be "read". I want anyone that logs in with a password, where they have an attribute "role=staff" to be able to read all ou=People records, and modify their own. I also have a user "anonymous" whom I want to give search access to. This is what I thought would do the job: # Default no access defaultaccess none # Give read access to everything in the o=online.ie tree, to everyone access to dn="ou=.*,o=online.ie,dc=fv,dc=digiserve,dc=ie" by * read # Take away access to everyone for the People tree, except self, role=staff # and to a logged-in anonymous user. access to dn=".*,ou=People,o=online.ie,dc=fv,dc=digiserve,dc=ie" by self write by role=staff read by "uid=anonymous,ou=People,o=online.ie,dc=fv,dc=digiserve,dc=ie" search by * none Kate -- Microsoft. The best reason in the world to drink beer. http://www.redbrick.dcu.ie/~valen
Attachment:
pgplukKKqHEwe.pgp
Description: PGP signature