Hi,
I am trying to build acls suitable to my setup:
I have posix accounts in ou=people,ou=unix,dc=acme,dc=org
and some more information about users (defined in an object class called
"acmeUserAccount") in ou=people,ou=useradm,dc=acme,dc=org.
Each posix account has a corresponding record in ou=useradm. These record
pairs are connected by having the uid attribute defined equally.
Now I want to restrict access to the ou=useradm tree, but not the ou=unix
tree.
As far as I can
understand, there are at least two ways to do so:
1. using something like
access to dn.subtree="ou=useradm,dc=acme,dc=org"
by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
by * none
This works as expected - giving write access to members of useradmins,
and read access to members of consultants.
2. using something like
access to attrs=@acmeUserAccount
by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
by * none
This also works as expected with regards to acmeUserAccount, but has
funny side effects on ou=unix.