[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL assistance needed

Hi all,

I am looking for a way to write an ACL such that a user only has read access 
to entries in a subtree that she also has write access to, to unclutter 
things.  Let me try to explain better.

Under dc=mycompany,dc=com, I have ou=Email Aliases.  Subentries of this are 
courierMailAliase objects.  Most of these are standard mail aliases.  However 
I would like a few of them to be editable by specific people.  To this end, 
in one of these such entries, I put a DN in the roleOccupant attribute for 
the person who should be able to edit the entry.  I wrote the following ACL 
to give her write access:

access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
  by dnattr=roleOccupant write
  by group/groupOfUniqueNames/uniqueMember="cn=LDAP 
Administrators,dc=borkholder,dc=com" write
  by * none

It works -- it lets the user edit the entry and not edit any other entries 
where she is not the roleOccupant.  However, I would really like it if the 
only entries she could see were the ones that she could write to.  Right now 
she can view all the aliases, even if she cannot write to them.  Is there any 
way to accomplish what I am trying to do, without making an ACL for each 
specific courierMailAlias in the subtree?