[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Subtree ACL Problem
>>>>access to dn=".*,ou=People,o=Morrison Industries,c=US"
>>>> attrs=children,entry,uid
>>>This rule doesn't apply to attribute 'mobile'
>>Ok, I think I get it. But I "thought" that "attrs=children,entry" granted
>>access to an entire subtree, apparently this is not true. Would something
>>like "attrs=children,entry,*" be more appropriate here? Can I use a wild
>>card there?
>Just don't quality the ACL with attrs. Then it will apply to
>the entry, its contents (specific attributes), and rights to
>create immediate children of this entry.
Cool, I've got it working now by splitting the rule (one to allow the create of
children, etc..., and one to allow modifcation of objects). Thanks for you
assistance and patience. If I were to write some clearer documentation (no
offense to the authors of what is already there) is there anyone I could send
it to for consideration? I assume this will remain pretty much the same in
OpenLDAP v2?
access to attr=userpassword
by self write
by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,..." write
by * compare
access to dn=".*,ou=People,o=Morrison Industries,c=US"
attrs=loginshell,uidnumber,gidnumber, etc . . .
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
by * read
access to dn="ou=People,o=Morrison Industries,c=US"
attrs=children,entry
by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,..." write
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
access to dn=".*,ou=People,o=Morrison Industries,c=US"
by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,..." write
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
access to *
by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505