> > I am trying to write acl statements that implement to following scenario: > > > > with the exception of cn=radius,ou=sa,dc=test,dc=com every user should > > be able to see all objects under ou=users,dc=test,dc=com. > > cn=radius,ou=sa,dc=test,dc=com should only see objects under > > ou=users,dc=test,dc=com with objectClass=radiusprofile On 15.08.2012 11:41, Peter Gietz wrote: > what about something like: > access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)" > by dn=cn=radius,ou=sa,dc=test,dc=com read > access to dn.subtree=ou=users,dc=test,dc=com > by dn=cn=radius,ou=sa,dc=test,dc=com none > by users read thanks for your help peter! the statements you suggested result in in the same situation as those I came up with in my last post. the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container have. regards, marvin
Attachment:
smime.p7s
Description: S/MIME cryptographic signature