[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control attributes list



That seems to work.  Except since I was doing a "none" for the
individual attribute, it only works when I specify it first as such:

access to attrs=cn
    by dn.exact="cn=someone" none

access to attrs=@inetOrgPerson
    by dn.exact="cn=someone" read




On Thu, 2005-09-01 at 18:09 +0200, Pierangelo Masarati wrote:
> > Hello everyone,
> >
> > In the access controls, you can specify all attributes allowed in an
> > objectclass by using the @ notation.  Is there a way to do something
> > like "@inetOrgPerson, -cn" so indicate all the attributes allowed in
> > inetOrgPerson but not the cn attribute?  (this is obviously just an
> > example)
> 
> Not that way, but you get the intended effect by writing a rule that gives
> the desired access to "cn", followed by a similar rule that gives the
> "other" access to all the attributes of the objectClass; for example:
> 
> access to attrs=cn
>     by dn.exact="cn=someone" read
> 
> access to attrs=@inetOrgPerson
>     by dn.exact="cn=someone" search
> 
> 
> 
> or you could do it incrementally, e.g.
> 
> access to attrs=@inetOrgPerson
>     by dn.exact="cn=someone" search break
> 
> access to attrs=cn
>     by dn.exact="cn=someone" +r
> 
> 
> 
> p.
> 
>