[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tough ACI Question

fre, 2002-08-09 kl. 13:26 skrev Brian Sullivan:
> All,
> Don't know if you all can help me but I am trying to put an ACI on a branch my
>  directory and can't figure it out.  I have a group with 100 members
> or so,
> cn=mygroup,ou=myapplication,o=mycompany.com
> I also have an administrative user
> uid=myapp-admin,ou=Administrators,o=mycompany.com
> I need an ACI such that the myapp-admin has total access and such that the folks
>  in the mygroup have readonly access to the branch
> ou=myapplication,o=mycompany.com.  Does anyone know if this is
> possible and how it might be done?

Hate this ASCII art, hope you are using Courier or another monospaced

Shuffle your org into a more logical hierarchy:

_ dc=mycompany,dc=com
|                                                       |    
cn=myapp-admin,ou=Administrators,dc=mycompany,dc=com    |  
                         ou=mygroup,dc=mycompany,dc=com | 


ou=mygroup,dc=mycompany,dc=com is "top, group of names", with named


access to dn="cn=myapplication,ou=mygroup,dc=mycompany,dc=com"
     by anonymous auth
     by dn=".*,ou=Administrators,dc=mycompany,dc=com" write
     by group="ou=mygroup,dc=mycompany,dc=com" dnattr=member read
     by * none

Actually you can have far more complicated structures than this :-)

I'd seriously suggest that, if you are using or can use Gnome on Linux
(or Solaris?), that you get hold of GQ. It will teach you to "see"
hierarchies and, together with 'tail -f' on a slapd -d256 log output,
tell you whenever you go wrong and why. Won't help you writing the ACLs,
but certainly wil tith the organization.




Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel