[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tricky ACL

--On Tuesday, October 12, 2004 10:37 PM +0200 Pierangelo Masarati <ando@sys-net.it> wrote:
You don't say what version you're using; this may impact the availability
of certain ACLs.  For HEAD code, which should be relatively similar to
2.2.17 in this field, the slapd.access(5) man page documents the "val"
option for attributeType qualification; it says
    attrs=<attr> val[.<style>]=<attrval>
which means that only one attribute type must be present ("<attr>"); it
doesn't mention submatch (from DN?) expansion, and I'm pretty sure the
code doesn't do that.  What you want to do can be obtained by using

access to dn.subtree="cn=people,dc=uta,dc=edu"
    by set.exact="this/accountName & user/uid" read

Of course you may need more rules to make sure that "user" actually is an

Wow, that works great. :) Stanford also has separate account/person trees, and that just solved a long standing problem for me. ;)


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html