[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls

Am 16.08.2012 14:03, schrieb Mundry, Marvin:
>>> I am trying to write acl statements that implement to following scenario:
>>> with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
>>> be able to see all objects under ou=users,dc=test,dc=com.
>>> cn=radius,ou=sa,dc=test,dc=com should only see objects under
>>> ou=users,dc=test,dc=com with objectClass=radiusprofile
> On 15.08.2012 11:41, Peter Gietz wrote:
>> what about something like:
>> access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)"
>> by dn=cn=radius,ou=sa,dc=test,dc=com read
>> access to dn.subtree=ou=users,dc=test,dc=com
>> by dn=cn=radius,ou=sa,dc=test,dc=com none
>> by users read
> thanks for your help peter!
> the statements you suggested result in in the same situation as those I came up with in my last post.
> the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place
> cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container
> have.

Now I did try it out and think I found a solution to your problem:

access to dn.children="ou=users,dc=test,dc=com"
    by dn=cn=radius,ou=sa,dc=test,dc=com read
    by users read

access to dn.children="ou=users,dc=test,dc=com"
    by dn=cn=radius,ou=sa,dc=test,dc=com none
    by users read

access to dn.base="ou=users,dc=test,dc=com"
    by users read

Does this work for you?



> regards,
> marvin


Peter Gietz (CEO)
DAASI International GmbH                   phone: +49 7071 407109-0
Europaplatz 3                              Fax:   +49 7071 407109-9
D-72072 Tübingen                           mail:  peter.gietz@daasi.de
Germany                                    Web:   www.daasi.de

DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175

Directory Applications for Advanced Security and Information Management