--On Friday, March 06, 2009 4:10 PM -0500 Andrew Cobaugh phalenor@gmail.com wrote:
Weird, this isn't matching:
access to dn.children="ou=group,dc=mydoman" by set="this/cn & user/uid" write
Instead, it's falling through to the "by * read" entry at the top of the tree.
It doesn't even look like it's trying to match against that ACL, actually.
As documented, ACLs are evaluated in the order they are hit. So if you have a by * read at the top of your ACLs, then of course nothing after that will be evaluated.
I suggest you closely read slapd-access(5).
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org