[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: group acl permissions
On Thu, 2005-11-03 at 06:43 -0500, John Halfpenny wrote:
> hi everyone.
>
> i'm trying to get to grips with acls on ldap, could someone glance over this snippet of config and tell me why my members in 'Account operators' are only being granted read permission to user attributes?
>
> thanks!
>
>
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
>
> access to dn.onelevel="ou=Users,dc=student,dc=local" attrs=entry,@extensibleObject
> by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
> by * read
>
> access to dn.base="ou=Users,dc=student,dc=local" attrs=children
> by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
> by * read
Assuming you're populating your database with entries consistent with
rfc2307 schema, I bet you'd use "uidNumber" instead of "uid" from users;
that is:
access to dn.onelevel="ou=Users,dc=student,dc=local"
attrs=entry,@extensibleObject
by set="user/uidNumber & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write
by * read
and so on...
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497