fre, 2002-08-09 kl. 13:26 skrev Brian Sullivan:
> All,
>
> Don't know if you all can help me but I am trying to put an ACI on a branch my
> directory and can't figure it out. I have a group with 100 members
> or so,
> cn=mygroup,ou=myapplication,o=mycompany.com
> I also have an administrative user
> uid=myapp-admin,ou=Administrators,o=mycompany.com
> I need an ACI such that the myapp-admin has total access and such that the folks
> in the mygroup have readonly access to the branch
> ou=myapplication,o=mycompany.com. Does anyone know if this is
> possible and how it might be done?
Hate this ASCII art, hope you are using Courier or another monospaced
font.
Shuffle your org into a more logical hierarchy:
_ dc=mycompany,dc=com
|
|________________________________________________________
| |
cn=myapp-admin,ou=Administrators,dc=mycompany,dc=com |
|
ou=mygroup,dc=mycompany,dc=com |
|
cn=myapplication,ou=mygroup,dc=mycompany,dc=com
---
ou=mygroup,dc=mycompany,dc=com is "top, group of names", with named
members.
___
access to dn="cn=myapplication,ou=mygroup,dc=mycompany,dc=com"
by anonymous auth
by dn=".*,ou=Administrators,dc=mycompany,dc=com" write
by group="ou=mygroup,dc=mycompany,dc=com" dnattr=member read
by * none
___
Actually you can have far more complicated structures than this :-)
I'd seriously suggest that, if you are using or can use Gnome on Linux
(or Solaris?), that you get hold of GQ. It will teach you to "see"
hierarchies and, together with 'tail -f' on a slapd -d256 log output,
tell you whenever you go wrong and why. Won't help you writing the ACLs,
but certainly wil tith the organization.
Best,
Tony
--
Tony Earnshaw
The usefulness of RTFM is vastly overrated.
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl
gpg public key: http://www.billy.demon.nl/tonni.armor
Telefoon: (+31) (0)172 530428
Mobiel: (+31) (0)6 51153356
GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel