[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acls and restricting permissions
On Tue, Dec 02, 2008 at 02:14:52PM +1000, Brett @Google wrote:
> Assuming we add to the above a user that has LESS access than the default ie:
>
> access to attr=c,o,ou,cn,sn,givenName,mail
> by dn.exact=cn=limited,dc=example,dc=com
> by * none (or break)
>
> This literally wont work as intended, because even if the above does
> not match, the
>
> access to *
> by self write
> by users read
>
> Will always give users read by default.
You could split the rule into two clauses:
access to attr=c,o,ou,cn,sn,givenName,mail,entry
by dn.exact=cn=limited,dc=example,dc=com read
by * break
access to *
by dn.exact=cn=limited,dc=example,dc=com none
by * break
Note that I have added the 'entry' pseudo-atribute to the first
clause. Depending on the structure of your DIT you may also need
to add rules to permit access to the RDN components of entries
higher up the tree.
The 'by * break' statement is an easy way of making sure this
clause does not affect any other users.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------