[Date Prev][Date Next] [Chronological] [Thread] [Top]

"dnattr= " doesn't work in access clause.

To: <openldap-software@OpenLDAP.org>
Subject: "dnattr= " doesn't work in access clause.
From: "alex" <alexela_1999@sina.com>
Date: Tue, 3 Jun 2003 15:23:50 +0800

hi,
I have build two usrgroups and two usr account as below,
I grant access as:
[[
access to dn.base="o=org,dc=example,dc=com"
  by dn.base="cn=Guests,ou=UserGroups,o=org,dc=example,dc=com" dnattr=member
read
  by dn.base="cn=Administrators,ou=UserGroups,o=org,dc=example,dc=com"
dnattr=member search
]]
that's to say , administrator can only search the root suffix,but guest can
read root suffix's attributes.  I use
"cn=administrator,ou=Users,o=org,dc=example,dc=com" and
"cn=guest,ou=Users,o=org,dc=example,dc=com" to do a search. but the result
does not take effect. neither administrator nor guest could access root
suffix's attribute.
I change the clause as
[[
  by dn.base="cn=guest,ou=Users,o=org,dc=example,dc=com" read
  by dn.base="cn=administrator,ou=Users,o=org,dc=example,dc=com" search
]]
It works as well. Cannot "dnattr=" work in clause or if I forgot anything?!
thanks



===================================ldif file=================
dn: o=org,dc=example,dc=com
o: org
objectclass: top
objectclass: organization

###
# usergroups
###
dn: ou=UserGroups,o=org,dc=example,dc=com
ou: UserGroups
objectclass: top
objectclass: organizationalunit

dn: cn=Administrators,ou=UserGroups,o=org,dc=example,dc=com
objectclass: top
objectclass: groupOfNames
cn: Administrators
ou: UserGroups
member: cn=administrator,ou=Users,o=org,dc=example,dc=com

dn: cn=Guests,ou=UserGroups,o=org,dc=example,dc=com
objectclass: top
objectclass: groupOfNames
cn: Guests
ou: UserGroups
member: cn=guest,ou=Users,o=org,dc=example,dc=com

###
# users
###
dn: ou=Users,o=org,dc=example,dc=com
ou: Users
objectclass: top
objectclass: organizationalunit

dn: cn=administrator,ou=Users,o=org,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: administrator
sn: administrator
userpassword: {SSHA}jpNLGQPSTdtFpb7SjvOyWkOsNqHfVgyL

dn: cn=guest,ou=Users,o=org,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: guest
sn: guest
userpassword: {SSHA}5t4kwGgpjscpjnRF1Xnz1aIUz1zmcybH

Prev by Date: Re: Still I am uanble to execute ldapsearch
Next by Date: Re: Still I am uanble to execute ldapsearch
Index(es):
- Chronological
- Thread