[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL attr=children problem
On Wed, 2005-11-16 at 13:29 +0100, Jimmy Ott wrote:
> Hello,
>
> i have some problems when trying to set ACL for my Mail LDAP tree. Here
> a bit of background information:
>
> my sample tree in short form:
>
> dc=my,dc=domain,dc=com
> -> cn=admin,dc=my,dc=domains,dc=com
> -> ou=domains,dc=my,dc=domain,dc=com
> -> ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
> -> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
> -> cn=mailuser1,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
> -> cn=mailuser2,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>
> i want to give postmasters full access to their domain ou. in this
> example write access by
> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com to
> subtree of ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com.
>
> i tested following static acl, so that i later can change and generalize
> it with regexp:
>
> access to dn="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
> attrs=children
> by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write
>
> changes to object cn=mailuser1 in same ou fails with "insufficient
> access", so something went wrong with pseudo attr children.
Did you read slapd.access(5)? If you didn't, go and do it. If you did,
you might have misunderstood the meaning of the pseudo-attribute
"children".
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------