Am 16.08.2012 14:03, schrieb Mundry, Marvin:
I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
On 15.08.2012 11:41, Peter Gietz wrote:
what about something like: access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read access to dn.subtree=ou=users,dc=test,dc=com by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
thanks for your help peter! the statements you suggested result in in the same situation as those I came up with in my last post.
the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container have.
Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com" filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read by users read
access to dn.children="ou=users,dc=test,dc=com" by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
access to dn.base="ou=users,dc=test,dc=com" by users read
Does this work for you?
Cheers,
Peter
regards, marvin