[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need some help with ACLs

Quanah Gibson-Mount wrote:

--On Thursday, September 21, 2006 12:13 AM -0700 Howard Chu <hyc@symas.com> wrote:

Rob Tanner wrote:
On 09/20/2006 01:57 PM, Quanah Gibson-Mount wrote:

access to dn.subtree="ou=classlists,o=linfield.edu"
        by dnattr=owner write
access to dn.subtree="ou=classlists,o=linfield.edu"
    by * none
access to dn.subtree="ou=classlists,o=linfield.edu"
    by * read

This gets me half way to my goal.  With the first ACL in place and
logging in as an owner (my DN in the owner attribute), I can see all the
nodes immediately beneath "ou=classlists,o=linfield.edu", but I cannot
see objects beneath them.

The above was wrong anyway. It should have been:

Actually, the above was not wrong. Your ACL's are more concise, but lose some of the detail.

No, unless you use a "break" on the first access clause, it will prevent the other two from having any effect.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/