[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL assistance needed
Misty Stanley-Jones wrote:
Under dc=mycompany,dc=com, I have ou=Email Aliases. Subentries of this are
courierMailAliase objects. Most of these are standard mail aliases. However
I would like a few of them to be editable by specific people. To this end,
in one of these such entries, I put a DN in the roleOccupant attribute for
the person who should be able to edit the entry. I wrote the following ACL
to give her write access:
access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
filter=(roleOccupant=*)
attrs=maildrop
by dnattr=roleOccupant write
by group/groupOfUniqueNames/uniqueMember="cn=LDAP
Administrators,dc=borkholder,dc=com" write
by * none
It works -- it lets the user edit the entry and not edit any other entries
where she is not the roleOccupant. However, I would really like it if the
only entries she could see were the ones that she could write to. Right now
she can view all the aliases, even if she cannot write to them. Is there any
way to accomplish what I am trying to do, without making an ACL for each
specific courierMailAlias in the subtree?
Hi,
Maybe I'm overloking something, but wouldn't it be enough to put
something like *before* your ACL entry?
access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
by * none
Hope this helps.
Regards,
Heiko