[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: understanding ACLs: dn.subtree vs. attrs=@something



--On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin <hailperin@zib.de> wrote:

access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
That works without sideeffects. Thank you :-)
But I still don't understand why 2 has side effects.

@acmeUserAccount by itself is going to affect access to all the attributes that are in that objectClass. It's really just shorthand for that list of attributes in that objectClass. So if you used the some of the same attributes in your other tree, they would be affected as well. By adding the specific subtree restriction, then you no longer affect those attributes elsewhere.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration