[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL



Fabrice Nouet wrote:

> Hello All,
>
> I still have a problem with ACL:
> My first line is:
> access to dn=".*o=Right Vision" by dn="cn=Fabrice,ou=Admin,o=Right Vision"
> write
> My second line is:
> access to dn=".*ou=User,o=Right vision" attr=userpassword
> by dn="cn=Thierry,ou=Admin,o=Right Vision" read by * none
>
> I am waiting for the following result:
> - Fabrice has all access to write to all my openLdap base
> - Thierry can read all entries below ou=User,o=Right Vision
> - The other users read all entries but not the userpassword attribut below
> ou=User,o=Right Vision
>
> The second line (ACI) is not functionning, but when I delete my first line
> (without the Fabrice's access) it is well functionning.
>

Hi,

The rules for access rights must be ordered.
So the most restrictive rule must be the first because when the server "read"
the ACL file, it stops when the first ACL is matched.
So in your case if you are looking for an entry like "cn=test,ou=User,o=Right
Vision" it matches with the first rule dn=".*o=Right Vision" and the access is
only granted to cn=Fabrice,ou=Admin,...

if you want to solve this problem, you must replace the first rule with the
second in the file.
And you have to add in the new first rule the write access for
cn=fabrice,ou=Admin.

Hope it can help you.

Manu.