[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: understanding ACLs: dn.subtree vs. attrs=@something



--On Tuesday, November 16, 2010 6:48 PM +0100 Isaac Hailperin <hailperin@zib.de> wrote:

Hi,

I am trying to build acls suitable to my setup:

I have posix accounts in ou=people,ou=unix,dc=acme,dc=org
and some more information about users (defined in an object class called
"acmeUserAccount") in ou=people,ou=useradm,dc=acme,dc=org.
Each posix account has a corresponding record in ou=useradm. These record
pairs are connected by having the uid attribute defined equally.

Now I want to restrict access to the ou=useradm tree, but not the ou=unix
tree.
As far as I can
understand, there are at least two ways to do so:

1. using something like
access to dn.subtree="ou=useradm,dc=acme,dc=org"
   by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
   by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
   by * none
This works as expected - giving write access to members of useradmins,
and read access to members of consultants.

2. using something like
access to attrs=@acmeUserAccount
   by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
   by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
   by * none
This also works as expected with regards to acmeUserAccount, but has
funny side effects on ou=unix.

I would change 2 to be:

access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration