[Date Prev][Date Next]
Re: understanding ACLs: dn.subtree vs. attrs=@something
Ok, I found my problem: I was ldap-searching for uid=username, but did
not realise that since uid is also defined in acmeUserAccount, its
restricted everywhere. If I would search for cn=username, that would
work with access to attrs=@acmeUserAccount. That means I would get
results form the unix tree.
So, sorry for bothering you, and thanks a lot for helping me think with
this discussion ;-)
On 11/17/2010 06:54 PM, Quanah Gibson-Mount wrote:
--On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin
access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
That works without sideeffects. Thank you :-)
But I still don't understand why 2 has side effects.
@acmeUserAccount by itself is going to affect access to all the
attributes that are in that objectClass. It's really just shorthand for
that list of attributes in that objectClass. So if you used the some of
the same attributes in your other tree, they would be affected as well.
By adding the specific subtree restriction, then you no longer affect
those attributes elsewhere.