[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for only creating entry
søn, 14.12.2003 kl. 08.03 skrev adamtheo@theoretic.com:
> I had to change the below ACL suggestion slightly, replacing your "exact"
> with "base" (otherwise openldap wouldn't accept it), but no success. The
> account webregister is not able to see any of the children entries in the
> diorectory, as intended, but it is not able to create them at all. I get
> permission denied's.
Dunno if it helps, but I've always found ACLs the most exasperating and
difficult part of Openldap. I've also found that to give express
permissions to any parent tree and subtree, I have to enable this
expressly in my ACLs (don't forget line wrapping below):
access to dn=ou=contacts,dc=billy,dc=demon,dc=nl
by dn=cn=admin,dc=billy,dc=demon,dc=nl write
by group=cn=peoplemanagers,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
write
by * read
access to dn=ou=contacts,dc=billy,dc=demon,dc=nl
attrs=children
by dn=cn=admin,dc=billy,dc=demon,dc=nl write
by group=cn=peoplemanagers,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
write
by * read
This is just an example, Ace's fancy stuff, dnregexps etc., comes in
addition.
--Tonni
--
mail: billy - at - billy.demon.nl
http://billy.demon.nl