[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: attrs=@objectClassName affects objectClass attribute



On 6/6/2012 6:36 ÎÎ, Howard Chu wrote:

Don't inherit from top.

In my case, removing top ObjectClass from an entry does not change behavior.

Here is the entry, after removing top:

DN: uid=tester,ou=people,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: eduPerson
objectClass: schacContactLocation
objectClass: entryAccessEntities
cn: Tester
eduPersonAffiliation: staff
eduPersonOrgDN: dc=example,dc=com
eduPersonOrgUnitDN: ou=people,dc=example,dc=com
eduPersonPrimaryAffiliation: staff
eduPersonPrimaryOrgUnitDN: ou=people,dc=example,dc=com
eduPersonPrincipalName: tester@example.com
eduPersonScopedAffiliation: staff@example.com
employeeType: unl
givenName: Tester
mail: tester@example.com
o: example
ou: research
schacHomeOrganization: example.com
sn: Tester
title: Scientific Technical Staff
uid: tester
userPassword:: secret
writeAccessEntities: cn=Admins,ou=Groups,dc=example,dc=com

When I use:

{xx}to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com" read

*NOTE:* The DN should have write access to all other attrs, based on other ACLs

then:

# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D "uid=admin1,ou=people,dc=example,dc=com"
authcDN: "uid=admin1,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
...
objectClass=person: read(=rscxd)
objectClass=organizationalPerson: read(=rscxd)
objectClass=inetOrgPerson: read(=rscxd)
objectClass=eduPerson: read(=rscxd)
objectClass=schacContactLocation: read(=rscxd)
objectClass=entryAccessEntities: read(=rscxd)
...
writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)

but when:

{xx}to dn.subtree="ou=people,dc=example,dc=com" attrs=writeAccessEntities,readAccessEntities,searchAccessEntitiesby group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com" read

then:

# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D "uid=admin1,ou=people,dc=example,dc=com"
authcDN: "uid=admin1,ou=people,dc=example,dc=com"
entry: write(=wrscxd)
children: write(=wrscxd)
...
objectClass=person: write(=wrscxd)
objectClass=organizationalPerson: write(=wrscxd)
objectClass=inetOrgPerson: write(=wrscxd)
objectClass=eduPerson: write(=wrscxd)
objectClass=schacContactLocation: write(=wrscxd)
objectClass=entryAccessEntities: write(=wrscxd)
...
writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)

Please advise.

Thanks,
Nick