Am Tue, 5 Aug 2014 22:41:54 +0200 schrieb Simeon Ott <[email protected]>:
> On 05.08.2014, at 18:03, Dieter Klünter <[email protected]> wrote: > > > can you help me finding the applied rule during the write process of > an object with uid=1234? i used other objectclasses and attributes, > which are not in the allowed attribute list. the debugging output is > attached to this email. the current acl set is listed below. [...] > access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" > attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title > by self write by > dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by > * read > > access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children > by > dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by > * read This 2 rule sets are applied, objectClasses are expanded and all attribute types of this objectclassses are write allowed. the restricting attribute types are not considered, as @<objectClass> is applied and matched. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
