Hi, I am trying to write acl statements that implement to following scenario: with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile I have tried the following acl statements which unfortunately do not work: ------------------------------- {11}to filter="(!(objectClass=radiusprofile))" by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none by * break {12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID by users read by * break ------------------------------- statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects. interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!)) cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am trying to do. why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects? Marvin
Attachment:
smime.p7s
Description: S/MIME cryptographic signature