[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: understanding ACLs: dn.subtree vs. attrs=@something





On 11/16/2010 07:04 PM, Quanah Gibson-Mount wrote:
--On Tuesday, November 16, 2010 6:48 PM +0100 Isaac Hailperin
<hailperin@zib.de> wrote:

Hi,

I am trying to build acls suitable to my setup:

I have posix accounts in ou=people,ou=unix,dc=acme,dc=org
and some more information about users (defined in an object class called
"acmeUserAccount") in ou=people,ou=useradm,dc=acme,dc=org.
Each posix account has a corresponding record in ou=useradm. These record
pairs are connected by having the uid attribute defined equally.

Now I want to restrict access to the ou=useradm tree, but not the ou=unix
tree.
As far as I can
understand, there are at least two ways to do so:

1. using something like
access to dn.subtree="ou=useradm,dc=acme,dc=org"
by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
by * none
This works as expected - giving write access to members of useradmins,
and read access to members of consultants.

2. using something like
access to attrs=@acmeUserAccount
by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
by * none
This also works as expected with regards to acmeUserAccount, but has
funny side effects on ou=unix.

I would change 2 to be:

access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
That works without sideeffects. Thank you :-)
But I still don't understand why 2 has side effects.

Isaac