[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control attributes list



> Hello everyone,
>
> In the access controls, you can specify all attributes allowed in an
> objectclass by using the @ notation.  Is there a way to do something
> like "@inetOrgPerson, -cn" so indicate all the attributes allowed in
> inetOrgPerson but not the cn attribute?  (this is obviously just an
> example)

Not that way, but you get the intended effect by writing a rule that gives
the desired access to "cn", followed by a similar rule that gives the
"other" access to all the attributes of the objectClass; for example:

access to attrs=cn
    by dn.exact="cn=someone" read

access to attrs=@inetOrgPerson
    by dn.exact="cn=someone" search



or you could do it incrementally, e.g.

access to attrs=@inetOrgPerson
    by dn.exact="cn=someone" search break

access to attrs=cn
    by dn.exact="cn=someone" +r



p.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497