[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: understanding ACLs: dn.subtree vs. attrs=@something



--On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin <hailperin@zib.de> wrote:
access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
That works without sideeffects. Thank you :-)
But I still don't understand why 2 has side effects.
@acmeUserAccount by itself is going to affect access to all the attributes 
that are in that objectClass.  It's really just shorthand for that list of 
attributes in that objectClass.  So if you used the some of the same 
attributes in your other tree, they would be affected as well.  By adding 
the specific subtree restriction, then you no longer affect those 
attributes elsewhere.
--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration