[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs: Dn.subtree + dnattr

Dear List

Can anybody point me in the right way? I have a problem with specifying acls which depend on the 'dnattr' who-qualifier. Unfortunately, the 'dnattr' is not documented too well and I couldn't get it working until now.
Here's the setup: 

I have a hierarchy like this:


The location objectclass:

objectclass ( NAME 'myLocality'
    DESC 'a locality object'
    SUP locality STRUCTURAL
    MUST objectclass
    MAY ( admin $ timeZone $ itDomainID $ adminMail $ mail $ description $ 
        postalAddress $ c $ telephoneNumber $ facsimileTelephoneNumber ) )

Now on the 'l' objects, I created the attribute 'admin' which holds the dn's of people who are (or should be ...) allowed to edit and create entries below the l's.

My acl for such a location looks like this:

access to dn.subtree="l=something,ou=bla,o=blabla,dc=example,dc=com"
        by dnattr=Admin write
        by * read

There are different admins for each location, and I have many of them so it would be a good thing if I could keep the existing structure and still get it to work.

Thank you very much for your help.

Regards, Florian

This message may contain legally privileged or confidential 
information and is therefore addressed to the named persons only. 
The recipient should inform the sender and delete this message, 
if he/she is not named as addressee. 
The sender disclaims any and all liability for the integrity 
and punctuality of this message. 
The sender has activated an automatic virus scanning by 
Messagelabs, but does not guarantee the virus free 
transmission of this message.