On Tue, Dec 02, 2008 at 02:14:52PM +1000, Brett @Google wrote:
Assuming we add to the above a user that has LESS access than the default ie:
access to attr=c,o,ou,cn,sn,givenName,mail by dn.exact=cn=limited,dc=example,dc=com by * none (or break)
This literally wont work as intended, because even if the above does not match, the
access to * by self write by users read
Will always give users read by default.
You could split the rule into two clauses:
access to attr=c,o,ou,cn,sn,givenName,mail,entry by dn.exact=cn=limited,dc=example,dc=com read by * break
access to * by dn.exact=cn=limited,dc=example,dc=com none by * break
Note that I have added the 'entry' pseudo-atribute to the first clause. Depending on the structure of your DIT you may also need to add rules to permit access to the RDN components of entries higher up the tree.
The 'by * break' statement is an easy way of making sure this clause does not affect any other users.
Andrew