thanks for replying. :)
however it still doesn't allow access to write for 'account operators', unless
i specify 'by * write' instead of read!
having checked my account operators group, the memberUid contains the uid of
the user, not the uidnumber.
is there some query i can run as manager to discover if this syntax is right?
john
--- On Thu 11/03, Pierangelo Masarati < [EMAIL PROTECTED] > wrote:
From: Pierangelo Masarati [mailto: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [email protected]
Date: Thu, 03 Nov 2005 15:48:59 +0100
Subject: Re: group acl permissions
On Thu, 2005-11-03 at 06:43 -0500, John Halfpenny wrote:<br>> hi everyone.<br>>
<br>> i'm trying to get to grips with acls on ldap, could someone glance over
this snippet of config and tell me why my members in 'Account operators' are
only being granted read permission to user attributes? <br>> <br>> thanks!<br>>
<br>> <br>> access to dn.base="" by * read<br>> access to
dn.base="cn=Subschema" by * read<br>> <br>> access to
dn.onelevel="ou=Users,dc=student,dc=local" attrs=entry,@extensibleObject<br>>
by set="user/uid & [cn=Account
Operators,ou=Groups,dc=student,dc=local]/memberUid" write<br>> by *
read<br>> <br>> access to dn.base="ou=Users,dc=student,dc=local"
attrs=children<br>> by set="user/uid & [cn=Account
Operators,ou=Groups,dc=student,dc=local]/memberUid" write<br>> by *
read<br><br>Assuming you're populating your database with entries consistent
with<br>rfc2307 schema, I bet you'd use "uidNumber" instead of "uid" from
users;<br>that is:<br><br>access t!
o
dn.onelevel="ou=Users,dc=student,dc=local"<br>
attrs=entry,@extensibleObject<br> by set="user/uidNumber & [cn=Account
Operators,ou=Groups,dc=student,dc=local]/memberUid" write<br> by *
read<br><br>and so on...<br><br>p.<br><br><br><br> SysNet - via Dossi,8
27100 Pavia Tel: +390382573859 Fax: +390382476497<br><br>
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
