[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question 'write stop' 'write break'

Please keep replies on the list.

On Mon, 19 Oct 2009, Edward Capriolo wrote:
As you have said .*managed people are never able to auth, one that
rule is put in place. So If I understand you correctly I should do

access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write stop
by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write stop
by * none break
access to attr=userPassword
by self write
by anonymous auth
by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
by * none


Sure, that's a reasonable first move, if I'm understanding your desires correctly. Personally I like being very very very explicit in my ACLs, so I might actually write out dn.exact and put the * in "access to attr=userPassword." But you can worry about that in version 5...