[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help w/ ACL

I think the problem is that when the server process the access to the entry 
(o or cn entries), it finds that the target "*" is also valid for this access 
("*" means all the entries). So, it tries to match the user connected with 
one of the 'by' entries and, as any of these entries will match with a normal 
user, it denies the access.

In order to avoid this you can use:

access 	to * attr=o,cn
     	by * read

access 	to *
     	by self write
     	by anonymous auth
	by * read

You have to put first the attribute acl. I hope it helps.


On Monday 15 October 2001 13:17, Dane Foster wrote:
> Hello.  I'm having an ACL issue where I don't understand why its not
> working and I'm hoping one the ACL gurus can help me out.  I'm at the point
> where I've simplified my ACL to the point where I think it should work but
> it does not.  Basically I'm trying to have it where everyone except
> anonymous users can read the 'o' and 'cn' (if they apply) attributes of an
> entry.
> My global ACL definition is as follows:
> access to *
>     by self write
>     by anonymous auth
> My simplified database ACL is as follows:
> access to * attr=o,cn
>     by * read
> The database ACL doesn't achieve what I said in the first paragraph but it
> should allow any query to read the o and cn attributes unfortunately, it
> doesn't work.  If anyone knows the answer I would appreciate being
> enlightened.  Thanx.
> Dane Foster
> Equity Technology Group, Inc
> http://www.equitytg.com.
> 954.360.9800