[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group acl permissions



On Thu, 2005-11-03 at 06:43 -0500, John Halfpenny wrote:
> hi everyone.
> 
> i'm trying to get to grips with acls on ldap, could someone glance over this snippet of config and tell me why my members in 'Account operators' are only being granted read permission to user attributes? 
> 
> thanks!
> 
> 
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> 
> access to dn.onelevel="ou=Users,dc=student,dc=local" attrs=entry,@extensibleObject
>     by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
>     by * read
> 
> access to dn.base="ou=Users,dc=student,dc=local" attrs=children
>     by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
>     by * read

Assuming you're populating your database with entries consistent with
rfc2307 schema, I bet you'd use "uidNumber" instead of "uid" from users;
that is:

access to dn.onelevel="ou=Users,dc=student,dc=local"
	attrs=entry,@extensibleObject
    by set="user/uidNumber & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
    by * read

and so on...

p.



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497