ACL confusion

[M.vanDorp@wiwo.nl]

Hi,

I'm sorry if this is a question asked before, but I can't seem to get
it working.

I try to restrict the information in my directory to the people who
should get that information. So a particular user can see only the info
he or she needs.

One piece of info is DNS records. For this, I use the schema as
described on tiscover.com. An example entry would be:

dn: cn=mydomain.nl,ou=domains,dc=wiwo,dc=nl
objectclass:DNSZone
DNSzonename: mydomain.nl
<snip>
owner: cn=marcel,ou=people,dc=wiwo,dc=nl

I left out a lot of attributes, because they are not relevant to this
problem. This entry contains more entries, for each record, eg:

dn: cn=A:www,cn=mydomain.nl,ou=domains,dc=wiwo,dc=nl
objectclass: DNSrrset
DNSipaddr: 111.222.333.444


In my slapd.conf I've got the following ACL:

access to dn=".*,ou=domains,.*"
        by dnattr=owner read
        by group="cn=operators,ou=it accounts,dc=wiwo,dc=nl" read

The zone entry can be reaf by the owner (and the specified group), but
de second recordentry is invisible to the owner. What I basically need
is an inherited right to read from the above entry.

Is this possible, or do I have to add an 'dnattr=owner read' to every
record set?

Can someone point me into the right direction?

TIA.

Marcel

-- 
---------------------------------------------------------------
ing. Marcel van Dorp (CCDP, CCNP+security)   http://www.wiwo.nl
WiWo Support                                 tel. 071-523 77 91
Postbus 1098                                 fax  071-523 77 94
2340 BB Oegstgeest                           gsm  0653-50 77 76
---------------------------------------------------------------