[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group acl permissions

thanks for replying. :)

however it still doesn't allow access to write for 'account operators', unless i specify 'by * write' instead of read!

having checked my account operators group, the memberUid contains the uid of the user, not the uidnumber.

is there some query i can run as manager to discover if this syntax is right? 


 --- On Thu 11/03, Pierangelo Masarati < ando@sys-net.it > wrote:
From: Pierangelo Masarati [mailto: ando@sys-net.it]
To: jhalfpenny@excite.com
     Cc: OpenLDAP-software@OpenLDAP.org
Date: Thu, 03 Nov 2005 15:48:59 +0100
Subject: Re: group acl permissions

On Thu, 2005-11-03 at 06:43 -0500, John Halfpenny wrote:<br>> hi everyone.<br>> <br>> i'm trying to get to grips with acls on ldap, could someone glance over this snippet of config and tell me why my members in 'Account operators' are only being granted read permission to user attributes? <br>> <br>> thanks!<br>> <br>> <br>> access to dn.base="" by * read<br>> access to dn.base="cn=Subschema" by * read<br>> <br>> access to dn.onelevel="ou=Users,dc=student,dc=local" attrs=entry,@extensibleObject<br>>     by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write<br>>     by * read<br>> <br>> access to dn.base="ou=Users,dc=student,dc=local" attrs=children<br>>     by set="user/uid & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write<br>>     by * read<br><br>Assuming you're populating your database with entries consistent with<br>rfc2307 schema, I bet you'd use "uidNumber" instead of "uid" from users;<br>that is:<br><br>access to 
dn.onelevel="ou=Users,dc=student,dc=local"<br>	attrs=entry,@extensibleObject<br>    by set="user/uidNumber & [cn=Account Operators,ou=Groups,dc=student,dc=local]/memberUid" write<br>    by * read<br><br>and so on...<br><br>p.<br><br><br><br>    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497<br><br>

Join Excite! - http://www.excite.com
The most personalized portal on the Web!