[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL assistance needed

Misty Stanley-Jones wrote:

Under dc=mycompany,dc=com, I have ou=Email Aliases. Subentries of this are courierMailAliase objects. Most of these are standard mail aliases. However I would like a few of them to be editable by specific people. To this end, in one of these such entries, I put a DN in the roleOccupant attribute for the person who should be able to edit the entry. I wrote the following ACL to give her write access:

access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
by dnattr=roleOccupant write
by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,dc=borkholder,dc=com" write
by * none

It works -- it lets the user edit the entry and not edit any other entries where she is not the roleOccupant. However, I would really like it if the only entries she could see were the ones that she could write to. Right now she can view all the aliases, even if she cannot write to them. Is there any way to accomplish what I am trying to do, without making an ACL for each specific courierMailAlias in the subtree?


Maybe I'm overloking something, but wouldn't it be enough to put something like *before* your ACL entry?

access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
   by * none

Hope this helps.