Re: understanding ACLs: dn.subtree vs. attrs=@something

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Tuesday, November 16, 2010 6:48 PM +0100 Isaac Hailperin 
<hailperin@zib.de> wrote:

> Hi,
>
> I am trying to build acls suitable to my setup:
>
> I have posix accounts in ou=people,ou=unix,dc=acme,dc=org
> and some more information about users (defined in an object class called
> "acmeUserAccount") in ou=people,ou=useradm,dc=acme,dc=org.
> Each posix account has a corresponding record in ou=useradm. These record
> pairs are connected by having the uid attribute defined equally.
>
> Now I want to restrict access to the ou=useradm tree, but not the ou=unix
> tree.
> As far as I can
> understand, there are at least two ways to do so:
>
> 1. using something like
> access to dn.subtree="ou=useradm,dc=acme,dc=org"
>    by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
>    by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
>    by * none
> This works as expected - giving write access to members of useradmins,
> and read access to members of consultants.
>
> 2. using something like
> access to attrs=@acmeUserAccount
>    by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
>    by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
>    by * none
> This also works as expected with regards to acmeUserAccount, but has
> funny side effects on ou=unix.

I would change 2 to be:

access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration