Please keep replies on the list.

On Mon, 19 Oct 2009, Edward Capriolo wrote: [...cut...]

As you have said .*managed people are never able to auth, one that rule is put in place. So If I understand you correctly I should do this:

access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" attrs=userPassword,accountstatus by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write stop by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write stop by * none break access to attr=userPassword by self write by anonymous auth by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none

?

Sure, that's a reasonable first move, if I'm understanding your desires correctly. Personally I like being very very very explicit in my ACLs, so I might actually write out dn.exact and put the * in "access to attr=userPassword." But you can worry about that in version 5...