[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AW: question regarding ACLs

"Kick, Claus" <claus.kick@siemens.com> writes:

> Hello,
>>> Where am I making a mistake?
>>access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none
>>access to dn.one=ou=people,o=suffix by * write
> Ok, that works like a charm! 
> Follow-up question (this probably shows I don't know much about ACLs):
> Why do I need to limit the scope via another ACL if I have one in place
> which 
> itself should already limit the scope of a search on a subtree?

The principal design of acl is base on ordering of a rule set,
beginning from a rule protecting the smallest item, like an
attribute, to the largest tree item, like the whole tree. You may run
slapd in debugging mode ACL in order to watch the parsing of the
access rules, at least it gave me an understanding of the design of
access rules.


Dieter KlÃnter | Systemberatung