On 6/6/2012 6:36 μμ, Howard Chu wrote:
Don't inherit from top.
In my case, removing top ObjectClass from an entry does not change behavior.
Here is the entry, after removing top:
DN: uid=tester,ou=people,dc=example,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: eduPerson objectClass: schacContactLocation objectClass: entryAccessEntities cn: Tester eduPersonAffiliation: staff eduPersonOrgDN: dc=example,dc=com eduPersonOrgUnitDN: ou=people,dc=example,dc=com eduPersonPrimaryAffiliation: staff eduPersonPrimaryOrgUnitDN: ou=people,dc=example,dc=com eduPersonPrincipalName: tester@example.com eduPersonScopedAffiliation: staff@example.com employeeType: unl givenName: Tester mail: tester@example.com o: example ou: research schacHomeOrganization: example.com sn: Tester title: Scientific Technical Staff uid: tester userPassword:: secret writeAccessEntities: cn=Admins,ou=Groups,dc=example,dc=com
When I use:
{xx}to dn.subtree="ou=people,dc=example,dc=com" attrs=@entryAccessEntities by group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com" read
*NOTE:* The DN should have write access to all other attrs, based on other ACLs
then:
# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D "uid=admin1,ou=people,dc=example,dc=com" authcDN: "uid=admin1,ou=people,dc=example,dc=com" entry: write(=wrscxd) children: write(=wrscxd) ... objectClass=person: read(=rscxd) objectClass=organizationalPerson: read(=rscxd) objectClass=inetOrgPerson: read(=rscxd) objectClass=eduPerson: read(=rscxd) objectClass=schacContactLocation: read(=rscxd) objectClass=entryAccessEntities: read(=rscxd) ... writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)
but when:
{xx}to dn.subtree="ou=people,dc=example,dc=com" attrs=writeAccessEntities,readAccessEntities,searchAccessEntitiesby group/groupOfNames/member.exact="cn=admins,ou=groups,dc=example,dc=com" read
then:
# slapacl -b "uid=tester,ou=people,dc=example,dc=com" -D "uid=admin1,ou=people,dc=example,dc=com" authcDN: "uid=admin1,ou=people,dc=example,dc=com" entry: write(=wrscxd) children: write(=wrscxd) ... objectClass=person: write(=wrscxd) objectClass=organizationalPerson: write(=wrscxd) objectClass=inetOrgPerson: write(=wrscxd) objectClass=eduPerson: write(=wrscxd) objectClass=schacContactLocation: write(=wrscxd) objectClass=entryAccessEntities: write(=wrscxd) ... writeAccessEntities=cn=Admins,ou=Groups,dc=example,dc=com: read(=rscxd)
Please advise.
Thanks, Nick