[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow an attribute to be cleared, but not changed to something else?

To: Tim Gustafson <tjg@soe.ucsc.edu>, Pierangelo Masarati <masarati@aero.polimi.it>
Subject: Re: ACL to allow an attribute to be cleared, but not changed to something else?
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Thu, 01 Jul 2010 08:54:43 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <1813437560.364251277999308566.JavaMail.root@mail-01.cse.ucsc.edu>
References: <1813437560.364251277999308566.JavaMail.root@mail-01.cse.ucsc.edu>

--On Thursday, July 01, 2010 8:48 AM -0700 Tim Gustafson <tjg@soe.ucsc.edu>wrote:

If you mean a normal user which application-wise is granted
higher privileges by ACLs, you need to make use of the granular
"a" (add) and "z" (zap) privileges (their union is "w", write).


Pardon my thickness, but the documentation at
http://www.openldap.org/doc/admin24/access-control.html specifically
calls out the possible values of the "level" part of the ACL clause:

<level> ::= none | disclose | auth | compare | search | read | write |
manage

Is this an undocumented feature?  Should perhaps the documentation be
updated, or maybe an example of this sort of ACL included in the examples
section?

I suggest you refer to the man page, which is always the end authority ondocumentation.


<http://www.openldap.org/software/man.cgi?query=slapd.access&apropos=0&sektion=0&manpath=OpenLDAP+2.4-Release&format=html>

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Re: ACL to allow an attribute to be cleared, but not changed to something else?
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

Prev by Date: Openldap client can't see users
Next by Date: Re: ACL to allow an attribute to be cleared, but not changed to something else?
Index(es):
- Chronological
- Thread