[Date Prev][Date Next] [Chronological] [Thread] [Top]

Need some help with ACLs


I'm in the process of moving from a Netscape server to OpenLDAP and I have some fairly complex ACLs that I can't quite figure out how to translate. I have a hierarchy that's two layers deep and the leaves are ObjectClass groupOfUniqueNames. The top layer, owners have full privileges all the way to the bottom. Users (including anonymous) have read access except for the owner and uniquemember attributes, and it's that restriction that I'm not sure how to. From what I understand, the "attrs" of the "access to" clause enables specific access to attributes. I tried using "!=" but OpenLDAP doesn't like that. Also, the admin manuals briefly talks about the "attrs" modifier but in the examples, uses an "attr" modifier. Is one of those a typo or are they synonyms for each other?

Here's what I have so far:

access to dn.subtree="ou=classlists,o=linfield.edu"
by dnattr=owner write
access to dn.subtree="ou=classlists,o=linfield.edu" [ attrs!=uniquemember,owner ?? ]
by * read

Can someone help me out here?


Rob Tanner
Linfield College

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature