[Date Prev][Date Next]
Re: ACL assistance needed
On Thursday 06 January 2005 18:08, Heiko Noordhof wrote:
> Maybe I'm overloking something, but wouldn't it be enough to put
> something like *before* your ACL entry?
> access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
> by * none
No, I believe that openLDAP looks at the ACLS and finds the first one that
matches, and then stops. Therefore, if I put that rule before the other one,
then no subentries are visible for anyone, regardless of the next rules. If
I were to put this one after, it would have no effect at all. I need an ACL
that will check access on each of the children, and only grant write access
to the entry if the person is listed in roleOccupants. Otherwise the person
should have no access to the subentry at all. Does that make sense?
> Hope this helps.