[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls

To: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
Subject: Re: acls
From: Peter Gietz <peter.gietz@daasi.de>
Date: Wed, 15 Aug 2012 11:40:36 +0200
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <83F4AF6808820F419C8919CC1356D0E160266C@HVN-VSRV-MBX2.HVN.uni-hamburg.de>
References: <83F4AF6808820F419C8919CC1356D0E160266C@HVN-VSRV-MBX2.HVN.uni-hamburg.de>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20120713 Thunderbird/14.0

Hi,

just a quick response without having tested it:

what about something like:

# cn=radius,ou=sa,dc=test,dc=com should only see objects under
ou=users,dc=test,dc=com with objectClass=radiusprofile
access to dn.subtree=ou=users,dc=test,dc=com
filter="(objectClass=radiusprofile)"
by dn=cn=radius,ou=sa,dc=test,dc=com read

# with the exception of cn=radius,ou=sa,dc=test,dc=com
# every user should be able to see all objects under
ou=users,dc=test,dc=com
access to dn.subtree=ou=users,dc=test,dc=com
by dn=cn=radius,ou=sa,dc=test,dc=com none
by users read


Cheers,

Peter

Am 15.08.2012 11:04, schrieb Mundry, Marvin:
> Hi,
> I am trying to write acl statements that implement to following scenario:
>
> with the exception of cn=radius,ou=sa,dc=test,dc=com
> every user should be able to see all objects under ou=users,dc=test,dc=com.
> cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
>
>
> I have tried the following acl statements which unfortunately do not work:
> -------------------------------
> {11}to filter="(!(objectClass=radiusprofile))"
> by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none
> by *  break
>
> {12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID
> by users read
> by * break
> -------------------------------
> statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects.
> interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!))
> cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am
> trying to do.
>
> why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com
> not being able to see any objects?
>
>
> Marvin


-- 
_______________________________________________________________________

Peter Gietz (CEO)
DAASI International GmbH                   phone: +49 7071 407109-0
Europaplatz 3                              Fax:   +49 7071 407109-9
D-72072 Tübingen                           mail:  peter.gietz@daasi.de
Germany                                    Web:   www.daasi.de

DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175

Directory Applications for Advanced Security and Information Management
_______________________________________________________________________

Follow-Ups:
- RE: acls
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>

References:
- acls
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>

Prev by Date: acls
Next by Date: RE: LDAP authentication using Radius
Index(es):
- Chronological
- Thread