[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: understanding ACLs: dn.subtree vs. attrs=@something

Ok, I found my problem: I was ldap-searching for uid=username, but did not realise that since uid is also defined in acmeUserAccount, its restricted everywhere. If I would search for cn=username, that would work with access to attrs=@acmeUserAccount. That means I would get results form the unix tree.

So, sorry for bothering you, and thanks a lot for helping me think with this discussion ;-)


On 11/17/2010 06:54 PM, Quanah Gibson-Mount wrote:
--On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin
<hailperin@zib.de> wrote:

access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
That works without sideeffects. Thank you :-)
But I still don't understand why 2 has side effects.

@acmeUserAccount by itself is going to affect access to all the
attributes that are in that objectClass. It's really just shorthand for
that list of attributes in that objectClass. So if you used the some of
the same attributes in your other tree, they would be affected as well.
By adding the specific subtree restriction, then you no longer affect
those attributes elsewhere.