[Date Prev][Date Next] [Chronological] [Thread] [Top]

Need some help with ACLs

To: openldap-software@OpenLDAP.org
Subject: Need some help with ACLs
From: Rob Tanner <rtanner@linfield.edu>
Date: Wed, 20 Sep 2006 13:32:06 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.0.5) Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.666

Hi,

I'm in the process of moving from a Netscape server to OpenLDAP and I have some fairly complex ACLs that I can't quite figure out how to translate. I have a hierarchy that's two layers deep and the leaves are ObjectClass groupOfUniqueNames. The top layer, owners have full privileges all the way to the bottom. Users (including anonymous) have read access except for the owner and uniquemember attributes, and it's that restriction that I'm not sure how to. From what I understand, the "attrs" of the "access to" clause enables specific access to attributes. I tried using "!=" but OpenLDAP doesn't like that. Also, the admin manuals briefly talks about the "attrs" modifier but in the examples, uses an "attr" modifier. Is one of those a typo or are they synonyms for each other?

Here's what I have so far:

access to dn.subtree="ou=classlists,o=linfield.edu" by dnattr=owner write access to dn.subtree="ou=classlists,o=linfield.edu" [ attrs!=uniquemember,owner ?? ] by * read

Can someone help me out here?

Thanks.

Rob Tanner
Linfield College

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: Need some help with ACLs
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: search for DN (Filter)
Next by Date: Re: Need some help with ACLs
Index(es):
- Chronological
- Thread