[Date Prev][Date Next] [Chronological] [Thread] [Top]


I am trying to write acl statements that implement to following scenario:

with the exception of cn=radius,ou=sa,dc=test,dc=com
every user should be able to see all objects under ou=users,dc=test,dc=com.
cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile

I have tried the following acl statements which unfortunately do not work:
{11}to filter="(!(objectClass=radiusprofile))"
by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none
by *  break

{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID
by users read
by * break
statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects.
interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!))
cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am
trying to do.

why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com
not being able to see any objects?


Attachment: smime.p7s
Description: S/MIME cryptographic signature