Hi,
I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com
every user should be able to see all objects under ou=users,dc=test,dc=com.
cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
I have tried the following acl statements which unfortunately do not work:
-------------------------------
{11}to filter="(!(objectClass=radiusprofile))"
by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none
by * break
{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID
by users read
by * break
-------------------------------
statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects.
interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!))
cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am
trying to do.
why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com
not being able to see any objects?
Marvin