[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subtree ACL Problem

> So the following is correct?
> defaultaccess   read
> access to attr=userpassword
>   by self write
>   by
> group/organizationalRole/roleOccupant="cn=personel,ou=Groups,o=MI,c=US"
> write
>   by * compare
> access to dn="ou=People,o=Morrison Industries,c=US"
>   attrs=children,entry,uid,cn
>   by
> group/organizationalRole/roleOccupant="cn=personel,ou=Groups,o=MI,c=US"
> write
>   by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=MI,c=US"
> write
> access to *
>   by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=MI,c=US"
> write
> I think the list, or the FAQ, could do with a few more examples.  I'm
> curious
> what the "attrs=children,entry" means exactly?  I can't seem to find that
> anywhere in the documentation.  Why is "uid" added to it in the examples,
> is it because it is the RDN attribute?  Since "cn" is my RDN attribute I 
> added that to the list on a hunch.

Sure enough the above works.  Now another question:

If I add the clause:

 access to attr=loginshell,uidnumber,gid,number,homedirectory,gecos
   by group/organizationalRole/roleOccupant="cn=cis,ou=Groups,o=MI,c=US" write
   by * read

after the userpassword clause the personel group seems to loose ALL modify/add
permission to the ou=People subtree.  Is it possible to grant access to a
subtree to a group, but restrict access to certain attributes in that subtree. 
I want group personel to be able to create and modify objects, just not be able
to change the value of certain attributes.  If an object contains an attribute
that a user does not have access to can they still delete the object if they
have access to the subtree?  I think some of my lack of understanding this lies
in the black magic of "attrs=children,entry"

>>You got it wrong, very wrong. The file is processed from top to bottom.
>>As soon as an 'access to something' clause matches, no other access
>>clauses are processed. Since your first clause (access to *) matches
>>every records, the other clauses are never used. After the first
>>matching clause is found, then the search for a matching 'by' proceeds
>>from first to last in that 'access by' clause. As soon as a 'by'
>>matches, the other 'by's are ignored. If no 'access by' clause matched,
>>the defaultaccess clause is used.