[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: attrs=@objectClassName affects objectClass attribute
On 6/6/2012 6:36 ÎÎ, Howard Chu wrote:
Don't inherit from top.
In my case, removing top ObjectClass from an entry does not change behavior.
Here is the entry, after removing top:
DN: uid=tester,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: schacContactLocation
objectClass: entryAccessEntities
cn: Tester
eduPersonAffiliation: staff
eduPersonOrgDN: dc=example,dc=com
eduPersonOrgUnitDN: ou=people,dc=example,dc=com
eduPersonPrimaryAffiliation: staff
eduPersonPrimaryOrgUnitDN: ou=people,dc=example,dc=com
eduPersonPrincipalName: tester@example.com
eduPersonScopedAffiliation: staff@example.com
employeeType: unl
givenName: Tester
mail: tester@example.com
o: example
ou: research
schacHomeOrganization: example.com
sn: Tester
title: Scientific Technical Staff
uid: tester
userPassword:: secret
writeAccessEntities: cn=Admins,ou=Groups,dc=example,dc=com
When I use:
{xx}to dn.subtree="ou=people,dc=example,dc=com"
attrs=@entryAccessEntities by
group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com"
read
*NOTE:* The DN should have write access to all other attrs, based on
other ACLs
then:
# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D
"uid=admin1,ou=people,dc=example,dc=com"
authcDN: "uid=admin1,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
...
objectClass=person: read(=rscxd)
objectClass=organizationalPerson: read(=rscxd)
objectClass=inetOrgPerson: read(=rscxd)
objectClass=eduPerson: read(=rscxd)
objectClass=schacContactLocation: read(=rscxd)
objectClass=entryAccessEntities: read(=rscxd)
...
writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)
but when:
{xx}to dn.subtree="ou=people,dc=example,dc=com"
attrs=writeAccessEntities,readAccessEntities,searchAccessEntitiesby
group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com"
read
then:
# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D
"uid=admin1,ou=people,dc=example,dc=com"
authcDN: "uid=admin1,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
...
objectClass=person: write(=wrscxd)
objectClass=organizationalPerson: write(=wrscxd)
objectClass=inetOrgPerson: write(=wrscxd)
objectClass=eduPerson: write(=wrscxd)
objectClass=schacContactLocation: write(=wrscxd)
objectClass=entryAccessEntities: write(=wrscxd)
...
writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)
Please advise.
Thanks,
Nick