I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
On 15.08.2012 11:41, Peter Gietz wrote:
what about something like: access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read
access to dn.subtree=ou=users,dc=test,dc=com by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
thanks for your help peter! the statements you suggested result in in the same situation as those I came up with in my last post.
the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container have.
regards, marvin