[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls and restricting permissions

On Tue, Dec 02, 2008 at 02:14:52PM +1000, Brett @Google wrote:

> Assuming we add to the above a user that has LESS access than the default ie:
> access to attr=c,o,ou,cn,sn,givenName,mail
>     by dn.exact=cn=limited,dc=example,dc=com
>     by * none (or break)
> This literally wont work as intended, because even if the above does
> not match, the
>   access to *
>     by self write
>     by users read
> Will always give users read by default.

You could split the rule into two clauses:

access to attr=c,o,ou,cn,sn,givenName,mail,entry
     by dn.exact=cn=limited,dc=example,dc=com read
     by * break

access to *
     by dn.exact=cn=limited,dc=example,dc=com none
     by * break

Note that I have added the 'entry' pseudo-atribute to the first
clause. Depending on the structure of your DIT you may also need
to add rules to permit access to the RDN components of entries
higher up the tree.

The 'by * break' statement is an easy way of making sure this 
clause does not affect any other users.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |