[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: understanding ACLs: dn.subtree vs. attrs=@something

To: Isaac Hailperin <hailperin@zib.de>
Subject: Re: understanding ACLs: dn.subtree vs. attrs=@something
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Wed, 17 Nov 2010 09:54:11 -0800
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4CE3BEF4.5030705@zib.de>
References: <4CE2C3E6.5020203@zib.de> <E9E4791A2004ED311F5C83C3@[192.168.1.7]> <4CE3BEF4.5030705@zib.de>

--On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin<hailperin@zib.de> wrote:

access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount

That works without sideeffects. Thank you :-)
But I still don't understand why 2 has side effects.

@acmeUserAccount by itself is going to affect access to all the attributesthat are in that objectClass. It's really just shorthand for that list ofattributes in that objectClass. So if you used the some of the sameattributes in your other tree, they would be affected as well. By addingthe specific subtree restriction, then you no longer affect thoseattributes elsewhere.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: understanding ACLs: dn.subtree vs. attrs=@something
  - From: Isaac Hailperin <hailperin@zib.de>

References:
- understanding ACLs: dn.subtree vs. attrs=@something
  - From: Isaac Hailperin <hailperin@zib.de>
- Re: understanding ACLs: dn.subtree vs. attrs=@something
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: understanding ACLs: dn.subtree vs. attrs=@something
  - From: Isaac Hailperin <hailperin@zib.de>

Prev by Date: Re: Problems Enabling Authentication using Cyrus SASL
Next by Date: Re: understanding ACLs: dn.subtree vs. attrs=@something
Index(es):
- Chronological
- Thread