[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL question: is the topmost entry different ?
Hi all,
Im still wrestling with this problem.
Here I am sending a more complete example. It's quite obvious that I am
missing somethings here, would be delighted if anyone can help me understand
this.
Here's my ACL:
---ACL
# protect all userPasswords.
# managers have access to all passwords
access to attr=userpassword
by self write
by group="group=managers,app=qwido" write
by anonymous auth
###
access to dn="app=qwido"
by dn="app=qwido" read
---
When I bind with:
Base_dn: app=qwido
Bind_dn: app=qwido
I can see the *whole* tree.
When I bind with:
Base_dn: app=qwido
Bind_dn: oc=isp001,app=qwido
I can see the *whole* tree.
When I bind with:
Base_dn: app=qwido
Bind_dn: manager=001,oc=isp001,,app=qwido
I can see the *whole* tree.
When I use the following ACL:
---ACL
# protect all userPasswords.
# managers have access to all passwords
access to attr=userpassword
by self write
by group="group=managers,app=qwido" write
by anonymous auth
###
access to dn.exact="app=qwido"
by dn="app=qwido" read
---
(note: the only change is the 'exact' style in the last access directive)
then:
When I bind with:
Base_dn: app=qwido
Bind_dn: app=qwido
I can see the *whole* tree. (expected behaviour)
When I bind with:
Base_dn: app=qwido
Bind_dn: oc=isp001,app=qwido
I can see 'nothing'
When I bind with:
Base_dn: app=qwido
Bind_dn: manager=001,oc=isp001,,app=qwido
I can see 'nothing'
Can anyone explain me why I need to use 'exact' to get the expected behaviour?
TIA
Ace