[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subtree ACL Problem

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: Subtree ACL Problem
From: Adam Tauno Williams <adam@morrison-ind.com>
Date: Tue, 25 Jul 2000 14:41:25 -0400
Cc: ptimmons@courriel.polymtl.ca, openldap-software@OpenLDAP.org
In-reply-to: <4.3.2.7.0.20000725121736.00ae6720@infidel.boolean.net>
References: <4.3.2.7.0.20000725115801.00b07820@infidel.boolean.net> <397CB58D.9CF8407C@courriel.polymtl.ca> <200007211819.e6LIJkN16651@localhost.localdomain> <3978D7BE.375DE36E@courriel.polymtl.ca> <200007241152.e6OBqMX18209@localhost.localdomain> <200007241253.e6OCrSV18297@localhost.localdomain> <397CB58D.9CF8407C@courriel.polymtl.ca> <4.3.2.7.0.20000725115801.00b07820@infidel.boolean.net> <4.3.2.7.0.20000725121736.00ae6720@infidel.boolean.net>
User-agent: IMP/PHP3 Imap webMail Program 2.0.11

>>>>access to dn=".*,ou=People,o=Morrison Industries,c=US"
>>>>  attrs=children,entry,uid
>>>This rule doesn't apply to attribute 'mobile' 
>>Ok, I think I get it.  But I "thought" that "attrs=children,entry" granted
>>access to an entire subtree, apparently this is not true.  Would something
>>like "attrs=children,entry,*" be more appropriate here?  Can I use a wild 
>>card there?
>Just don't quality the ACL with attrs.  Then it will apply to
>the entry, its contents (specific attributes), and rights to
>create immediate children of this entry.

Cool, I've got it working now by splitting the rule (one to allow the create of
children, etc..., and one to allow modifcation of objects).  Thanks for you
assistance and patience.  If I were to write some clearer documentation (no
offense to the authors of what is already there) is there anyone I could send 
it to for consideration?  I assume this will remain pretty much the same in
OpenLDAP v2?

access to attr=userpassword
  by self write
  by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,..." write
  by * compare
access to dn=".*,ou=People,o=Morrison Industries,c=US"
  attrs=loginshell,uidnumber,gidnumber, etc . . .
  by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
  by * read
access to dn="ou=People,o=Morrison Industries,c=US"
  attrs=children,entry
  by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,..." write
  by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
access to dn=".*,ou=People,o=Morrison Industries,c=US"
  by group/organizationalRole/roleOccupant="cn=personel,ou=Groups,..." write
  by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write
access to *
  by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,..." write

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505

Follow-Ups:
- Re: Subtree ACL Problem
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: Subtree ACL Problem
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Subtree ACL Problem
  - From: Adam Tauno Williams <adam@morrison-ind.com>
- Re: Subtree ACL Problem
  - From: Adam Tauno Williams <adam@morrison-ind.com>
- Re: Subtree ACL Problem
  - From: Adam Tauno Williams <adam@morrison-ind.com>
- Re: Subtree ACL Problem
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: Subtree ACL Problem
Next by Date: Install OpenLdap on NT machine
Index(es):
- Chronological
- Thread