On Wed, 2006-05-24 at 16:59 -0300, Andreas Hasenack wrote: > (openldap-2.3.23) > > If I have an ACL like this: > > access to dn.subtree="dc=example,dc=com" > [EMAIL PROTECTED] > by group.exact="cn=LDAP Admins,ou=System Groups,dc=example,dc=com" > by * none > > Would it be equivalent to, instead of using @shadowAccount, just listing all > attributes of that class?
Yes. > Or does the above ACL also require that the entry has > the shadowAccount object class? No. > I ask because attributes are shared among different object classes. For > example, both posixAccount and shadowAccount use userPassword. > > So, would the above ACL let a member of LDAP Admins update the userPassword > attribute in this sample entry? > > dn: uid=foo,ou=People,dc=example,dc=com > uid: foo > objectClass: inetOrgPerson > objectClass: posixAccount > cn: foo > sn: foo > userPassword: secret <----- > (...) As soon as shadowAccount contains "userPassword" as either a required or an allowed attribute, yes. What access checking code does when encountering a "@objectClassName" attribute is check if the attribute is listed as either a required or an allowed attribute for that objectClass. Consider "@objectClassName" as a shortcut for a complete listing of that objectClass' attributes. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
