Re: understanding ACLs: dn.subtree vs. attrs=@something

[Isaac Hailperin <hailperin@zib.de>]

Ok, I found my problem: I was ldap-searching for uid=username, but did 
not realise that since uid is also defined in acmeUserAccount, its 
restricted everywhere. If I would search for cn=username, that would 
work with  access to attrs=@acmeUserAccount. That means I would get 
results form the unix tree.

So, sorry for bothering you, and thanks a lot for helping me think with 
this discussion ;-)

Isaac

On 11/17/2010 06:54 PM, Quanah Gibson-Mount wrote:
> --On Wednesday, November 17, 2010 12:39 PM +0100 Isaac Hailperin
> <hailperin@zib.de> wrote:
>
> > > access to dn.subtree="ou=useradm,dc=acme,dc=org" attrs=@acmeUserAccount
> > That works without sideeffects. Thank you :-)
> > But I still don't understand why 2 has side effects.
>
> @acmeUserAccount by itself is going to affect access to all the
> attributes that are in that objectClass. It's really just shorthand for
> that list of attributes in that objectClass. So if you used the some of
> the same attributes in your other tree, they would be affected as well.
> By adding the specific subtree restriction, then you no longer affect
> those attributes elsewhere.
>
> --Quanah