[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL assistance needed

On Thursday 06 January 2005 18:08, Heiko Noordhof wrote:

> Hi,
> Maybe I'm overloking something, but wouldn't it be enough to put
> something like *before* your ACL entry?
> access to dn.children="ou=Email Aliases,dc=mycompany,dc=com"
>     by * none

No, I believe that openLDAP looks at the ACLS and finds the first one that 
matches, and then stops.  Therefore, if I put that rule before the other one, 
then no subentries are visible for anyone, regardless of the next rules.  If 
I were to put this one after, it would have no effect at all.  I need an ACL 
that will check access on each of the children, and only grant write access 
to the entry if the person is listed in roleOccupants.  Otherwise the person 
should have no access to the subentry at all.  Does that make sense?


> Hope this helps.
> Regards,
> 	Heiko