[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL assistance needed

To: openldap-software@OpenLDAP.org
Subject: Re: ACL assistance needed
From: Heiko Noordhof <heik0@xs4all.nl>
Date: Fri, 07 Jan 2005 00:08:47 +0100
In-reply-to: <200501061649.58500.misty@borkholder.com>
References: <200501061649.58500.misty@borkholder.com>
User-agent: Mozilla Thunderbird 0.9 (X11/20041124)

Misty Stanley-Jones wrote:

Under dc=mycompany,dc=com, I have ou=Email Aliases. Subentries of this are courierMailAliase objects. Most of these are standard mail aliases. However I would like a few of them to be editable by specific people. To this end, in one of these such entries, I put a DN in the roleOccupant attribute for the person who should be able to edit the entry. I wrote the following ACL to give her write access:

access to dn.children="ou=Email Aliases,dc=mycompany,dc=com" filter=(roleOccupant=*) attrs=maildrop by dnattr=roleOccupant write by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,dc=borkholder,dc=com" write by * none

It works -- it lets the user edit the entry and not edit any other entries where she is not the roleOccupant. However, I would really like it if the only entries she could see were the ones that she could write to. Right now she can view all the aliases, even if she cannot write to them. Is there any way to accomplish what I am trying to do, without making an ACL for each specific courierMailAlias in the subtree?

Hi,

Maybe I'm overloking something, but wouldn't it be enough to put something like *before* your ACL entry?

access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
   by * none

Hope this helps.

Regards,

	Heiko

Follow-Ups:
- Re: ACL assistance needed
  - From: Misty Stanley-Jones <misty@borkholder.com>

References:
- ACL assistance needed
  - From: Misty Stanley-Jones <misty@borkholder.com>

Prev by Date: Re: slapd stuck in sched_yield() call
Next by Date: Re: replica uri don't allow uri
Index(es):
- Chronological
- Thread