[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access Control Question
I have been testing with the following acl setup:
defaultaccess none
access to dn=".*,ou=people,o=Organization Name" attr=userpassword
by self write
by dn="uid=administrator,o=Organization Name" write
by * compare
access to *
by self write
by dn="uid=admininistrator,o=Organization Name" write
by * read
...which is intended to give anonymous read and password authentication
access, individual user update capabilities to their own entry, and
global administrative authority. It works.
Now I want to create another branch of the DIT and provide the same
accessibility as above. In this case though I want to define a
supplemental administrator whose global authority is limited to this new
branch. Here is what I came up with:
defaultaccess none
access to dn=".*,ou=another branch,o=Organization Name"
by dn="uid=12345,ou=people,o=Organization Name" write
by dn="uid=administrator,o=Organization Name" write
by * read
access to dn=".*,ou=people,o=Organization Name" attr=userpassword
by self write
by dn="uid=administrator,o=Organization Name" write
by * compare
access to *
by self write
by dn="uid=admininistrator,o=Organization Name" write
by * read
When executing an ldappadd binding with uid=12345... I get an
Insufficient access error, I know the password is correct. Can I grant
administrative access to specific users for specfic portions of the
DIT? If so what am I doing wrong in specifiying my ACL's above?
Thanks for any ideas.
Tod Thomas