Re: Need some help with ACLs

[Howard Chu <hyc@symas.com>]

Rob Tanner wrote:
> On 09/20/2006 01:57 PM, Quanah Gibson-Mount wrote:

> > access to dn.subtree="ou=classlists,o=linfield.edu"
> >         by dnattr=owner write
> > access to dn.subtree="ou=classlists,o=linfield.edu" 
> > attrs=uniquemember,owner
> >     by * none
> > access to dn.subtree="ou=classlists,o=linfield.edu"
> >     by * read

> This gets me half way to my goal.  With the first ACL in place and 
> logging in as an owner (my DN in the owner attribute), I can see all the 
> nodes immediately beneath "ou=classlists,o=linfield.edu", but I cannot 
> see objects beneath them.

The above was wrong anyway. It should have been:

access to dn.subtree="ou=classlists,o=linfield.edu"
  attrs=uniquemember,owner
    by dnattr=owner write

access to dn.subtree="ou=classlists,o=linfield.edu"
    by dnattr=owner write
    by * read

(Remember, most specific first, unless you muck up the order with breaks.)

> A DN that is an owner at the top level, "ou=classlists,o=linfield.edu" 
> should have full read/write access to that object and to everything 
> underneath.  Someone who is an owner in a particular subject node, e.q., 
> "ou=mat,ou=classlists,o=linfield.edu", should have full read/write 
> access to that node and everything underneath, but not to anything 
> else.

See the FAQ-o-Matic.
http://www.openldap.org/faq/index.cgi?file=653

There are plenty of other examples there as well.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/