[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acls
Am 16.08.2012 14:03, schrieb Mundry, Marvin:
>>> I am trying to write acl statements that implement to following scenario:
>>>
>>> with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
>>> be able to see all objects under ou=users,dc=test,dc=com.
>>> cn=radius,ou=sa,dc=test,dc=com should only see objects under
>>> ou=users,dc=test,dc=com with objectClass=radiusprofile
> On 15.08.2012 11:41, Peter Gietz wrote:
>> what about something like:
>> access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)"
>> by dn=cn=radius,ou=sa,dc=test,dc=com read
>> access to dn.subtree=ou=users,dc=test,dc=com
>> by dn=cn=radius,ou=sa,dc=test,dc=com none
>> by users read
> thanks for your help peter!
> the statements you suggested result in in the same situation as those I came up with in my last post.
>
> the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place
> cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container
> have.
Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com"
filter="(objectClass=radiusprofile)"
by dn=cn=radius,ou=sa,dc=test,dc=com read
by users read
access to dn.children="ou=users,dc=test,dc=com"
by dn=cn=radius,ou=sa,dc=test,dc=com none
by users read
access to dn.base="ou=users,dc=test,dc=com"
by users read
Does this work for you?
Cheers,
Peter
> regards,
> marvin
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz@daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
- Follow-Ups:
- RE: acls
- From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
- References:
- acls
- From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
- Re: acls
- From: Peter Gietz <peter.gietz@daasi.de>
- RE: acls
- From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>