[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls

To: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
Subject: Re: acls
From: Peter Gietz <peter.gietz@daasi.de>
Date: Mon, 20 Aug 2012 12:46:19 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <83F4AF6808820F419C8919CC1356D0E16029BB@HVN-VSRV-MBX2.HVN.uni-hamburg.de>
References: <83F4AF6808820F419C8919CC1356D0E160266C@HVN-VSRV-MBX2.HVN.uni-hamburg.de> <502B6E94.1040106@daasi.de> <83F4AF6808820F419C8919CC1356D0E16029BB@HVN-VSRV-MBX2.HVN.uni-hamburg.de>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0

Am 16.08.2012 14:03, schrieb Mundry, Marvin:
>>> I am trying to write acl statements that implement to following scenario:
>>>
>>> with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
>>> be able to see all objects under ou=users,dc=test,dc=com.
>>> cn=radius,ou=sa,dc=test,dc=com should only see objects under
>>> ou=users,dc=test,dc=com with objectClass=radiusprofile
> On 15.08.2012 11:41, Peter Gietz wrote:
>> what about something like:
>> access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)"
>> by dn=cn=radius,ou=sa,dc=test,dc=com read
>> access to dn.subtree=ou=users,dc=test,dc=com
>> by dn=cn=radius,ou=sa,dc=test,dc=com none
>> by users read
> thanks for your help peter!
> the statements you suggested result in in the same situation as those I came up with in my last post.
>
> the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place
> cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container
> have.

Now I did try it out and think I found a solution to your problem:

access to dn.children="ou=users,dc=test,dc=com"
    filter="(objectClass=radiusprofile)"
    by dn=cn=radius,ou=sa,dc=test,dc=com read
    by users read

access to dn.children="ou=users,dc=test,dc=com"
    by dn=cn=radius,ou=sa,dc=test,dc=com none
    by users read

access to dn.base="ou=users,dc=test,dc=com"
    by users read

Does this work for you?

Cheers,

Peter


> regards,
> marvin


-- 
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                   phone: +49 7071 407109-0
Europaplatz 3                              Fax:   +49 7071 407109-9
D-72072 Tübingen                           mail:  peter.gietz@daasi.de
Germany                                    Web:   www.daasi.de

DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175

Directory Applications for Advanced Security and Information Management
_______________________________________________________________________

Follow-Ups:
- RE: acls
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>

References:
- acls
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
- Re: acls
  - From: Peter Gietz <peter.gietz@daasi.de>
- RE: acls
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>

Prev by Date: Re: ldap (openldap) dynamic subtree combination for responses
Next by Date: Re: ldap (openldap) dynamic subtree combination for responses
Index(es):
- Chronological
- Thread