[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl issue



On Wed, Dec 19, 2012 at 04:39:50PM +0530, anil beniwal wrote:

> First one is working fine, 2nd one is not allowing to write access to Vpwrite
> user.

The second ACI is for Vwrite and Vread, not Vpwrite...

> Scanerio is we want to delegate read access to all the attributes to one user
> and other user to write access to all the attributes.
> 
> 
> This is for login.
> 
> 
> access to attrs=userPassword
> 
>                   by self     write
> 
>                   by dn="cn=Vpwrite,ou=businessUsersGroup,dc=example,dc=com"
> write
> 
>                   by dn="cn=Vpread,ou=businessUsersGroup,dc=example,dc=com" 
> read     
> 
>                   by anonymous auth
> 
>                   by * break

You may not want that 'by * break' clause.
It will allow both Vread and Vwrite to access the password
attribute.

> Read/Write access
> 
> access to *
> 
>                   by dn="cn=Vwrite,ou=businessUsersGroup,dc=example,dc=com"
> write
> 
>                   by dn="cn=Vread,ou=businessUsersGroup,dc=example,dc=com" 
> read     
> 
>                   by * none         

Did you really intend to have four users here, or just two?

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------