6 Jul
2016
6 Jul
'16
6:51 a.m.
Hello Michael,
Am 30.06.2016 um 11:29 schrieb Michael Ströder:
- ACL rules can't be bound to the ldap operation (search, auth, add,
modify, delete, ...), you can only remove e.g. some of the permission bits (e.g. access to if-operation="search" ...)
Setting the privileges is IMO sufficient.
I see this differently. One example where this is useful would be the following: I would like to e.g. add a rule at the very top of all ACL definitions:
"access to attrs=uidNumber value=0 by * none stop"
But this prevents that any other rule afterwards can make it *readable*.
Having something like:
"access to attrs=uidNumber value=0 if-operation="write,manage" by * none stop"
would solve this problem.
Best regards Florian
--
Florian Best
Open Source Software Engineer
Univention GmbH
be open
Mary-Somerville-Str.1
28359 Bremen
Tel.: +49 421 22232-0
Fax : +49 421 22232-99
best@univention.de
http://www.univention.de
Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876