[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL attr=children problem



Pierangelo Masarati wrote:
> On Wed, 2005-11-16 at 13:29 +0100, Jimmy Ott wrote:
> 
>>Hello,
>>
>>i have some problems when trying to set ACL for my Mail LDAP tree. Here
>>a bit of background information:
>>
>>my sample tree in short form:
>>
>>dc=my,dc=domain,dc=com
>>-> cn=admin,dc=my,dc=domains,dc=com
>>-> ou=domains,dc=my,dc=domain,dc=com
>>   -> ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>>      -> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>>      -> cn=mailuser1,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>>      -> cn=mailuser2,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>>
>>i want to give postmasters full access to their domain ou. in this
>>example write access by
>>cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com to
>>subtree of ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com.
>>
>>i tested following static acl, so that i later can change and generalize
>>it with regexp:
>>
>>access to dn="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
>>attrs=children
>>by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write
>>
>>changes to object cn=mailuser1 in same ou fails with "insufficient
>>access", so something went wrong with pseudo attr children.
> 
> 
> Did you read slapd.access(5)?  If you didn't, go and do it.  If you did,
> you might have misunderstood the meaning of the pseudo-attribute
> "children".
> 
> p.
> 
> 
> 
> 
> 
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> 
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------
> 
> 
> 

i've read it a few times, but so i've misunderstood it, my english isn't
very good.

quote: "The statement attrs=<attrlist> selects the attributes the access
control rule applies to. It is a comma-separated list of attribute
types, plus the special names entry, indicating access to the entry
itself, and children, indicating access to the entry's children"

what are the entry's children? not child objects of an ou?
and what is the right approach for my problem?

thx in advance
jimmy