[Date Prev][Date Next] [Chronological] [Thread] [Top]

Subtree ACL Problem

To: openldap-software@OpenLDAP.org
Subject: Subtree ACL Problem
From: Adam Tauno Williams <adam@morrison-ind.com>
Date: Fri, 21 Jul 2000 14:19:46 -0400
User-agent: IMP/PHP3 Imap webMail Program 2.0.11

I have the following access controls.

defaultaccess   read
access to *
  by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=Morrison
Industries,c=US" write
access to attr=userpassword
  by self write
  by * compare
access to dn="ou=People,o=Morrison Industries,c=US"
  attrs=children,entry,uid,cn
  by group="cn=personel,ou=Groups,o=Morrison Industries,c=US" write

It all works except the last entry.  I want the group personel to be able to
create/delete/modify objects beneath "ou=People".  The first entry works, and
does grant complete control to anyone whose dn is listed as a roleoccupant in
the said group.  I tried the same syntax with the last entry, as well the the
short version shown here (I currently have the objectclass set to
groupofuniquenames with a uniquemember attirbute containing the DN of each
person),  but any attempt to perform any operations results in failure.  I've
moved my own DN back and forth between the two groups, and bieng in the first as
a roleoccupant grants me access, while bieng in the second as a uniquename does
not.  I'm kind of stumped, because I read about this in the Subtree ACL thread.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505

Follow-Ups:
- Re: Subtree ACL Problem
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: ever-mounting frustration
Next by Date: Re: Subtree ACL Problem
Index(es):
- Chronological
- Thread