[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: acls

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: acls
From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
Date: Thu, 16 Aug 2012 12:03:41 +0000
Accept-language: en-GB, de-DE, en-US
Content-language: de-DE
In-reply-to: <502B6E94.1040106@daasi.de>
References: <83F4AF6808820F419C8919CC1356D0E160266C@HVN-VSRV-MBX2.HVN.uni-hamburg.de> <502B6E94.1040106@daasi.de>
Thread-index: Ac16xH+RVOHYxP6ySDuzCK00o/6Tw///6YUA//53qRA=
Thread-topic: acls

> > I am trying to write acl statements that implement to following scenario:
> >
> > with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
> > be able to see all objects under ou=users,dc=test,dc=com.
> > cn=radius,ou=sa,dc=test,dc=com should only see objects under
> > ou=users,dc=test,dc=com with objectClass=radiusprofile

On 15.08.2012 11:41, Peter Gietz wrote:
> what about something like:
> access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)"
> by dn=cn=radius,ou=sa,dc=test,dc=com read

> access to dn.subtree=ou=users,dc=test,dc=com
> by dn=cn=radius,ou=sa,dc=test,dc=com none
> by users read

thanks for your help peter!
the statements you suggested result in in the same situation as those I came up with in my last post.

the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place
cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container
have.

regards,
marvin

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: acls
  - From: Peter Gietz <peter.gietz@daasi.de>

References:
- acls
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
- Re: acls
  - From: Peter Gietz <peter.gietz@daasi.de>

Prev by Date: RE: LDAP authentication using Radius
Next by Date: Re: Lazy ACLs and keeping your DIT as flat as possible
Index(es):
- Chronological
- Thread