[Date Prev][Date Next] [Chronological] [Thread] [Top]

@OC notation in ACLs: does it include the OC itself?

To: openldap-software@OpenLDAP.org
Subject: @OC notation in ACLs: does it include the OC itself?
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Wed, 24 May 2006 16:59:14 -0300
Content-disposition: inline
User-agent: Mutt/1.5.11

(openldap-2.3.23)

If I have an ACL like this:

access to dn.subtree="dc=example,dc=com"
	attrs=@shadowAccount
	by group.exact="cn=LDAP Admins,ou=System Groups,dc=example,dc=com"
	by * none

Would it be equivalent to, instead of using @shadowAccount, just listing all
attributes of that class? Or does the above ACL also require that the entry has
the shadowAccount object class?

I ask because attributes are shared among different object classes. For
example, both posixAccount and shadowAccount use userPassword.

So, would the above ACL let a member of LDAP Admins update the userPassword
attribute in this sample entry?

dn: uid=foo,ou=People,dc=example,dc=com
uid: foo
objectClass: inetOrgPerson
objectClass: posixAccount
cn: foo
sn: foo
userPassword: secret <-----
(...)

Follow-Ups:
- Re: @OC notation in ACLs: does it include the OC itself?
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Major revision changes
Next by Date: Re: Major revision changes
Index(es):
- Chronological
- Thread