"Kick, Claus" claus.kick@siemens.com writes:
Hello,
Where am I making a mistake?
access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none access to dn.one=ou=people,o=suffix by * write
Ok, that works like a charm! Follow-up question (this probably shows I don't know much about ACLs):
Why do I need to limit the scope via another ACL if I have one in place which itself should already limit the scope of a search on a subtree?
The principal design of acl is base on ordering of a rule set, beginning from a rule protecting the smallest item, like an attribute, to the largest tree item, like the whole tree. You may run slapd in debugging mode ACL in order to watch the parsing of the access rules, at least it gave me an understanding of the design of access rules.
-Dieter