[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: acls

> > I am trying to write acl statements that implement to following scenario:
> >
> > with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
> > be able to see all objects under ou=users,dc=test,dc=com.
> > cn=radius,ou=sa,dc=test,dc=com should only see objects under
> > ou=users,dc=test,dc=com with objectClass=radiusprofile

On 15.08.2012 11:41, Peter Gietz wrote:
> what about something like:
> access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)"
> by dn=cn=radius,ou=sa,dc=test,dc=com read

> access to dn.subtree=ou=users,dc=test,dc=com
> by dn=cn=radius,ou=sa,dc=test,dc=com none
> by users read

thanks for your help peter!
the statements you suggested result in in the same situation as those I came up with in my last post.

the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place
cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container


Attachment: smime.p7s
Description: S/MIME cryptographic signature