[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: question about the draft acl

To: "Yi-Min Tan" <tanym@ms36.hinet.net>
Subject: Re: question about the draft acl
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sat, 07 Apr 2001 08:55:00 -0700
Cc: "openldap devel" <openldap-devel@OpenLDAP.org>
In-reply-to: <000a01c0bf57$ee6329b0$d8af708c@dufu>

There has been recent discussion on the <ietf-ldapext@netscape.com>
mailing list regarding ldapACI evaluation issues.  I suggest
you review the archives <http://www.openldap.org/lists/ietf-ldapext/>
and then post your question to <ietf-ldapext@netscape.com> as
this is really a specification issue.

Kurt

At 07:43 PM 4/7/01 +0800, Yi-Min Tan wrote:
>hi.all
>I am developing the draft-ietf-ldapext-acl-model-07.txt for openldap
>but I have the following question about the acl
>my acl as follow--
>-------------
>dn:O=TW
>acl:subtree#grant:d#[entry]#group:cn=user,o=org,o=tw       (1)
>dn:O=EDU,O=TW
>acl:subtree#grant:d#[entry]#subtree:o=tw                   (2)
>acl:subtree#deny:d#[entry]#subtree:o=ncu,o=edu,o=tw        (3)
>-------------
>I am bind as "o=ncu,o=edu,o=tw"
>according to the document draft-ietf-ldapext-acl-model-07.txt
>can I delete the child of "o=edu,o=tw" ?
>*****  note: "o=ncu,o=edu,o=tw" is a member of group "cn=user,o=org,o=tw" *****
>from role (1) I can delete the child of "o=edu,o=tw"
>from role (3) I can't delete the child of "o=edu,o=tw"
>from role (2) i can delete the child of "o=edu,o=tw"
>but the "group" is more specific then "subtree"
>but bind name "o=ncu,o=edu,o=tw" is more -close- "o=edu,o=tw" then "o=tw"
>can somebody give me some hit
>thanks a lot

References:
- question about the draft acl
  - From: "Yi-Min Tan" <tanym@ms36.hinet.net>

Prev by Date: Re: Slapd frontend performance issues
Next by Date: Re: Slapd frontend performance issues
Index(es):
- Chronological
- Thread