[Date Prev][Date Next] [Chronological] [Thread] [Top]

@OC notation in ACLs: does it include the OC itself?



(openldap-2.3.23)

If I have an ACL like this:

access to dn.subtree="dc=example,dc=com"
	attrs=@shadowAccount
	by group.exact="cn=LDAP Admins,ou=System Groups,dc=example,dc=com"
	by * none

Would it be equivalent to, instead of using @shadowAccount, just listing all
attributes of that class? Or does the above ACL also require that the entry has
the shadowAccount object class?

I ask because attributes are shared among different object classes. For
example, both posixAccount and shadowAccount use userPassword.

So, would the above ACL let a member of LDAP Admins update the userPassword
attribute in this sample entry?

dn: uid=foo,ou=People,dc=example,dc=com
uid: foo
objectClass: inetOrgPerson
objectClass: posixAccount
cn: foo
sn: foo
userPassword: secret <-----
(...)