On Thu, 2005-11-03 at 06:43 -0500, John Halfpenny wrote:
> hi everyone.
>
> i'm trying to get to grips with acls on ldap, could someone glance over this
> snippet of config and tell me why my members in 'Account operators' are only
> being granted read permission to user attributes?
>
> thanks!
>
>
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
>
> access to dn.onelevel="ou=Users,dc=student,dc=local"
> attrs=entry,@extensibleObject
> by set="user/uid & [cn=Account
> Operators,ou=Groups,dc=student,dc=local]/memberUid" write
> by * read
>
> access to dn.base="ou=Users,dc=student,dc=local" attrs=children
> by set="user/uid & [cn=Account
> Operators,ou=Groups,dc=student,dc=local]/memberUid" write
> by * read
Assuming you're populating your database with entries consistent with
rfc2307 schema, I bet you'd use "uidNumber" instead of "uid" from users;
that is:
access to dn.onelevel="ou=Users,dc=student,dc=local"
attrs=entry,@extensibleObject
by set="user/uidNumber & [cn=Account
Operators,ou=Groups,dc=student,dc=local]/memberUid" write
by * read
and so on...
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
