[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and write permission.

To: openldap-software@openldap.org
Subject: Re: ACL's and write permission.
From: Shane <squindler@gmail.com>
Date: Thu, 10 May 2007 00:21:14 +0930
Content-disposition: inline
In-reply-to: <20070509092114.yu7ha1lx4w0woso8@webmail.npd.ufsc.br>
References: <20070509092114.yu7ha1lx4w0woso8@webmail.npd.ufsc.br>

summarising your post - heres your "active" ACL's by the looks:

access to dn.base="cn=Subschema"
       by * read
access to attrs=userPKCS12
       by self write
       by * auth
access to attrs=shadowLastChange
       by self write
       by * read
access to attrs=userPassword
       by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
       by anonymous    auth
       by self         write
       by *            none
access to dn.base=""
       by * read
access to *
       by dn="cn=admin,dc=sub,dc=domain,dc=xyz,dc=xy" write
       by * read
access to dn="ou=moodleusers,dc=sub,dc=domain,dc=xyz,dc=xy"
       by dn="uid=usuariomoodle-admin,dc=sub,dc=domain,dc=xyz,dc=xy" write

The rule for "usuariomoodle-admin" is inaccessable. As ACL's are only
processed until a match is found you can never get to this rule - the
preceeding rule says give read to * so the ACL will always stop there
if it hasn't been already caught by one of the others. Simple move
that last access rule above the access to * on and you should get
things moving in the right direction.

Shane.

References:
- ACL's and write permission.
  - From: lauro@npd.ufsc.br

Prev by Date: simple ACL requirement, grant access to modify myself and my sub entries, not sure how to do it
Next by Date: Minimal OpenLDAP server source
Index(es):
- Chronological
- Thread