[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need some help with ACLs





--On Wednesday, September 20, 2006 1:32 PM -0700 Rob Tanner <rtanner@linfield.edu> wrote:

Hi,

I'm in the process of moving from a Netscape server to OpenLDAP and I
have some fairly complex ACLs that I can't quite figure out how to
translate.  I have a hierarchy that's two layers deep and the leaves are
ObjectClass groupOfUniqueNames.  The top layer, owners have full
privileges all the way to the bottom.  Users (including anonymous) have
read access except for the owner and uniquemember attributes, and it's
that restriction that I'm not sure how to.  From what I understand, the
"attrs" of the "access to" clause enables specific access to attributes.
I tried using "!=" but OpenLDAP doesn't like that.  Also, the admin
manuals briefly talks about the "attrs" modifier but in the examples,
uses an "attr" modifier.  Is one of those a typo or are they synonyms for
each other?

Here's what I have so far:

access to dn.subtree="ou=classlists,o=linfield.edu"
        by dnattr=owner write
access to dn.subtree="ou=classlists,o=linfield.edu"  [
attrs!=uniquemember,owner ?? ]
        by * read

access to dn.subtree="ou=classlists,o=linfield.edu" by dnattr=owner write access to dn.subtree="ou=classlists,o=linfield.edu" attrs=uniquemember,owner by * none access to dn.subtree="ou=classlists,o=linfield.edu" by * read

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html