[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control attributes list

To: "Digant C Kasundra" <digant@uta.edu>
Subject: Re: Access control attributes list
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 1 Sep 2005 18:09:21 +0200 (CEST)
Cc: "Openldap-Software" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1125587170.19259.17.camel@localizer.uta.edu>
References: <1125587170.19259.17.camel@localizer.uta.edu>
User-agent: SquirrelMail/1.4.3a-1

> Hello everyone,
>
> In the access controls, you can specify all attributes allowed in an
> objectclass by using the @ notation.  Is there a way to do something
> like "@inetOrgPerson, -cn" so indicate all the attributes allowed in
> inetOrgPerson but not the cn attribute?  (this is obviously just an
> example)

Not that way, but you get the intended effect by writing a rule that gives
the desired access to "cn", followed by a similar rule that gives the
"other" access to all the attributes of the objectClass; for example:

access to attrs=cn
    by dn.exact="cn=someone" read

access to attrs=@inetOrgPerson
    by dn.exact="cn=someone" search



or you could do it incrementally, e.g.

access to attrs=@inetOrgPerson
    by dn.exact="cn=someone" search break

access to attrs=cn
    by dn.exact="cn=someone" +r



p.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Access control attributes list
  - From: Digant C Kasundra <digant@uta.edu>

References:
- Access control attributes list
  - From: Digant C Kasundra <digant@uta.edu>

Prev by Date: Re: Tweaking "threads"
Next by Date: Re: Access control attributes list
Index(es):
- Chronological
- Thread