[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL questions. Answered (long)
> -----Original Message-----
> From: Diego Julian Remolina [mailto:dijuremo@math.gatech.edu]
> Actually what you suggested is not really working, see my 2 cases. I
> still need anonymous access to read entries for things like
> phone numbers,
> addresses, etc.
>
> Case 1. Using by * auth break on ou=People which you say
> makes no sense
> actually works.
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * auth
>
> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=sambaSamAccount
> by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
> write
> by * auth break
>
> access to *
> by * read
This is a completely different situation from the ACL you posted before. If
you want "by * read" then you should state that explicitly. Liberal use of
"break" statements makes the flow of control difficult to understand, and you
will regret it months from now when you need to make an update to your rules.
access to attrs=userPassword
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * auth
access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=sambaSamAccount
by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
access to *
by * read
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support