[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to permit access to some attributes





--On Friday, April 02, 2004 10:04 PM +0200 Tony Earnshaw <tonye@billy.demon.nl> wrote:

fre, 02.04.2004 kl. 20.46 skrev Quanah Gibson-Mount:

> access to dn="dc=fadesa,dc=es"
>   attr=userPassword
>   by self write
>   by dn="cn=admin,(whatever it is)" write
>   by anonymous auth
>   by * none
>

Yeah, that is the example he was looking at though, not the acl he's
currently using:

Huh? He had no base dn.

These are his current acl's:

access to dn.base=""
by * read
by * break

access to dn.base="cn=Subschema"
by * read
by * break

access to dn.children="dc=fadesa,dc=es" attrs=objectclass,mail
by * read

Those have the base DN in where needed. ;)


What he said was, I saw this ACL as an example:

access to attrs=userPassword
       by self write
       by dn.exact="cn=admin,ou=users,dc=domain" write
       by anonymous auth

Not that he was using it. ;)



Also, it is attrs= not attr= :)

*shrug* - both work; I use attr for one, attrs for more than one.

Hm, I'll have to remember that... I don't see attr= documented in slapd.access, I wonder if that is a bug.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html