On Wed, Dec 19, 2012 at 04:39:50PM +0530, anil beniwal wrote: > First one is working fine, 2nd one is not allowing to write access to Vpwrite > user.
The second ACI is for Vwrite and Vread, not Vpwrite... > Scanerio is we want to delegate read access to all the attributes to one user > and other user to write access to all the attributes. > > > This is for login. > > > access to attrs=userPassword > > by self write > > by dn="cn=Vpwrite,ou=businessUsersGroup,dc=example,dc=com" > write > > by dn="cn=Vpread,ou=businessUsersGroup,dc=example,dc=com" > read > > by anonymous auth > > by * break You may not want that 'by * break' clause. It will allow both Vread and Vwrite to access the password attribute. > Read/Write access > > access to * > > by dn="cn=Vwrite,ou=businessUsersGroup,dc=example,dc=com" > write > > by dn="cn=Vread,ou=businessUsersGroup,dc=example,dc=com" > read > > by * none Did you really intend to have four users here, or just two? Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
