[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control attributes list

To: ando@sys-net.it
Subject: Re: Access control attributes list
From: Digant C Kasundra <digant@uta.edu>
Date: Thu, 01 Sep 2005 11:55:56 -0500
Cc: Openldap-Software <openldap-software@OpenLDAP.org>
In-reply-to: <36829.131.175.154.56.1125590961.squirrel@131.175.154.56>
References: <1125587170.19259.17.camel@localizer.uta.edu> <36829.131.175.154.56.1125590961.squirrel@131.175.154.56>

That seems to work.  Except since I was doing a "none" for the
individual attribute, it only works when I specify it first as such:

access to attrs=cn
    by dn.exact="cn=someone" none

access to attrs=@inetOrgPerson
    by dn.exact="cn=someone" read




On Thu, 2005-09-01 at 18:09 +0200, Pierangelo Masarati wrote:
> > Hello everyone,
> >
> > In the access controls, you can specify all attributes allowed in an
> > objectclass by using the @ notation.  Is there a way to do something
> > like "@inetOrgPerson, -cn" so indicate all the attributes allowed in
> > inetOrgPerson but not the cn attribute?  (this is obviously just an
> > example)
> 
> Not that way, but you get the intended effect by writing a rule that gives
> the desired access to "cn", followed by a similar rule that gives the
> "other" access to all the attributes of the objectClass; for example:
> 
> access to attrs=cn
>     by dn.exact="cn=someone" read
> 
> access to attrs=@inetOrgPerson
>     by dn.exact="cn=someone" search
> 
> 
> 
> or you could do it incrementally, e.g.
> 
> access to attrs=@inetOrgPerson
>     by dn.exact="cn=someone" search break
> 
> access to attrs=cn
>     by dn.exact="cn=someone" +r
> 
> 
> 
> p.
> 
>

References:
- Access control attributes list
  - From: Digant C Kasundra <digant@uta.edu>
- Re: Access control attributes list
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Access control attributes list
Next by Date: Question pertaining to PPolicy overlay feature
Index(es):
- Chronological
- Thread