[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: having more privileged users



Hi, 

That was quite a fine bunch og acls you got there. How does the search 
permission work? I didn't know about it.

Tarjei
> 
> If your ACLS are:
> 
> access to attrs=userPassword
>     by self write
>     by * auth
> 
> access to dn=".*,ou=My Tree,dc=my,dc=org"
>     by users read
>     by * none
> 
> access to dn=".*,ou=Another Tree,dc=my,dc=org"
>     by dn="[^,]+,ou=Apps,dc=my,dc=org"
>     by * none
> 
> access to *
>     by * read
> 
> you need to do do:
> 
> access to attrs=userPassword
>     by self write
>     by * auth
> 
> access to dn=".*,ou=My Tree,dc=my,dc=org"
>     by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
>     by users read
>     by * none
> 
> access to dn=".*,ou=Another Tree,dc=my,dc=org"
>     by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
>     by dn="[^,]+,ou=Apps,dc=my,dc=org"
>     by * none
> 
> access to *
>     by dn="cn=YOUR USER,ou=People,dc=my,dc=org" read
>     by * search
> 
> the same applies if you need different access rights, say "write". You
> also need to set
> 
>sizelimit    (>MAX ENTRIES)
> timelimit    (>TIME REQUIRED TO SEARCH THE WHOLE DIT)
> 
> If you go to HEAD, you may also have a look at
> 
> http://www.openldap.org/lists/openldap-devel/200107/msg00116.html
> 
> and threads that follow.
> 
> Pierangelo.
> 
> --
> Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
> Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
> Politecnico di Milano                 | mailto:masarati@aero.polimi.it
> via La Masa 34, 20156 Milano, Italy   |
> http://www.aero.polimi.it/~masarati


____________________
Tarjei Huse
920 63 413