[Date Prev][Date Next] [Chronological] [Thread] [Top]

Subtree ACL Problem

I have the following access controls.

defaultaccess   read
access to *
  by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=Morrison
Industries,c=US" write
access to attr=userpassword
  by self write
  by * compare
access to dn="ou=People,o=Morrison Industries,c=US"
  by group="cn=personel,ou=Groups,o=Morrison Industries,c=US" write

It all works except the last entry.  I want the group personel to be able to
create/delete/modify objects beneath "ou=People".  The first entry works, and
does grant complete control to anyone whose dn is listed as a roleoccupant in
the said group.  I tried the same syntax with the last entry, as well the the
short version shown here (I currently have the objectclass set to
groupofuniquenames with a uniquemember attirbute containing the DN of each
person),  but any attempt to perform any operations results in failure.  I've
moved my own DN back and forth between the two groups, and bieng in the first as
a roleoccupant grants me access, while bieng in the second as a uniquename does
not.  I'm kind of stumped, because I read about this in the Subtree ACL thread.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505