[Date Prev][Date Next] [Chronological] [Thread] [Top]

acls

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: acls
From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
Date: Wed, 15 Aug 2012 09:04:04 +0000
Accept-language: en-GB, de-DE, en-US
Content-language: de-DE
Thread-index: Ac16xH+RVOHYxP6ySDuzCK00o/6Tww==
Thread-topic: acls

Hi,
I am trying to write acl statements that implement to following scenario:

with the exception of cn=radius,ou=sa,dc=test,dc=com
every user should be able to see all objects under ou=users,dc=test,dc=com.
cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile


I have tried the following acl statements which unfortunately do not work:
-------------------------------
{11}to filter="(!(objectClass=radiusprofile))"
by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none
by *  break

{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID
by users read
by * break
-------------------------------
statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects.
interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!))
cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am
trying to do.

why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com
not being able to see any objects?


Marvin

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: acls
  - From: Peter Gietz <peter.gietz@daasi.de>

Prev by Date: write an acl with sets and compare connecting peername.ip with ipHost entry (ipHostNumber)
Next by Date: Re: acls
Index(es):
- Chronological
- Thread