[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tough ACI Question

To: Brian Sullivan <sullivanbj@dteenergy.com>
Subject: Re: Tough ACI Question
From: adam@morrison-ind.com
Date: Fri, 9 Aug 2002 09:02:40 -0400
Cc: openldap-software@OpenLDAP.org
In-reply-to: <3D53A6F8.9070007@dteenergy.com>
References: <5.1.0.14.0.20020722154017.03058db0@127.0.0.1> <3D53A6F8.9070007@dteenergy.com>
User-agent: Internet Messaging Program (IMP) 3.1

>Don't know if you all can help me but I am trying to put an ACI on a branch
>my directory and can't figure it out.  I have a group with 100 members or
>so,
>cn=mygroup,ou=myapplication,o=mycompany.com
>I also have an administrative user
>uid=myapp-admin,ou=Administrators,o=mycompany.com
>I need an ACI such that the myapp-admin has total access and such that the
>folks in the mygroup have readonly access to the branch
>ou=myapplication,o=mycompany.com.  Does anyone know if this is possible and
>how it might be done?

How is this hard?  Standard ACI stff covered in documentation.
Set your ACI type field to "group" and you subject field to the dn of the
groupOfNames.

OpenLDAPaci:OID#SCOPE#RIGHTS#TYPE#SUBJECT
So an OpenLDAPaci attribute might look like:
OpenLDAPaci: 1#entry#grant;r,w;[all]#group#cn=cis,ou=Groups,dc=Example,dc=Com

See ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf

Follow-Ups:
- Re: Tough ACI Question
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- Tough ACI Question
  - From: Brian Sullivan <sullivanbj@dteenergy.com>

Prev by Date: Re: Tough ACI Question
Next by Date: RE: Corrupt index files
Index(es):
- Chronological
- Thread