The above was wrong anyway. It should have been:
access to dn.subtree="ou=classlists,o=linfield.edu" attrs=uniquemember,owner by dnattr=owner write
access to dn.subtree="ou=classlists,o=linfield.edu" by dnattr=owner write by * read
(Remember, most specific first, unless you muck up the order with breaks.)
A DN that is an owner at the top level, "ou=classlists,o=linfield.edu" should have full read/write access to that object and to everything underneath. Someone who is an owner in a particular subject node, e.q., "ou=mat,ou=classlists,o=linfield.edu", should have full read/write access to that node and everything underneath, but not to anything else.
See the FAQ-o-Matic. http://www.openldap.org/faq/index.cgi?file=653
The ACLs now look like this:
access to dn.subtree="ou=classlists,o=linfield.edu" by dnattr=owner write by * read
So I'm still missing something that I don't understand.
-- Rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature