Re: ACL attr=children problem

[Pierangelo Masarati <ando@sys-net.it>]

On Wed, 2005-11-16 at 13:29 +0100, Jimmy Ott wrote:
> Hello,
> 
> i have some problems when trying to set ACL for my Mail LDAP tree. Here
> a bit of background information:
> 
> my sample tree in short form:
> 
> dc=my,dc=domain,dc=com
> -> cn=admin,dc=my,dc=domains,dc=com
> -> ou=domains,dc=my,dc=domain,dc=com
>    -> ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>       -> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>       -> cn=mailuser1,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
>       -> cn=mailuser2,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
> 
> i want to give postmasters full access to their domain ou. in this
> example write access by
> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com to
> subtree of ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com.
> 
> i tested following static acl, so that i later can change and generalize
> it with regexp:
> 
> access to dn="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
> attrs=children
> by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write
> 
> changes to object cn=mailuser1 in same ou fails with "insufficient
> access", so something went wrong with pseudo attr children.

Did you read slapd.access(5)?  If you didn't, go and do it.  If you did,
you might have misunderstood the meaning of the pseudo-attribute
"children".

p.





Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------