[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group acl permissions

To: jhalfpenny@excite.com
Subject: Re: group acl permissions
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 03 Nov 2005 15:48:59 +0100
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <20051103114332.392E3C1E1E@xprdmailfe27.nwk.excite.com>
References: <20051103114332.392E3C1E1E@xprdmailfe27.nwk.excite.com>

On Thu, 2005-11-03 at 06:43 -0500, John Halfpenny wrote:
> hi everyone.
> 
> i'm trying to get to grips with acls on ldap, could someone glance over this snippet of config and tell me why my members in 'Account operators' are only being granted read permission to user attributes? 
> 
> thanks!
> 
> 
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> 
> access to dn.onelevel="ou=Users,dc=student,dc=local" attrs=entry,@extensibleObject
>     by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
>     by * read
> 
> access to dn.base="ou=Users,dc=student,dc=local" attrs=children
>     by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
>     by * read

Assuming you're populating your database with entries consistent with
rfc2307 schema, I bet you'd use "uidNumber" instead of "uid" from users;
that is:

access to dn.onelevel="ou=Users,dc=student,dc=local"
	attrs=entry,@extensibleObject
    by set="user/uidNumber & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
    by * read

and so on...

p.



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- group acl permissions
  - From: "John Halfpenny" <jhalfpenny@excite.com>

Prev by Date: 2.3.11/BDB bdb_cache_find_id deadlock
Next by Date: Re: 2.3.11/BDB bdb_cache_find_id deadlock
Index(es):
- Chronological
- Thread