--On Monday, October 16, 2017 5:55 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
without any real testing, I'm afraid that the rule{0} gives the write access to cn=groupabcadmin to _all_ db, not just the ou=ABC Cumstomer subtree.
Em I right?
Hm, yes, that's correct. You'll need to do something like utilize by * break appropriately, or have multiple "access to userPassword" ACLs by group, then a catchall after that.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah,
On Mon, Oct 16, 2017 at 07:58:45AM -0700, Quanah Gibson-Mount wrote:
--On Monday, October 16, 2017 5:55 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
without any real testing, I'm afraid that the rule{0} gives the write access to cn=groupabcadmin to _all_ db, not just the ou=ABC Cumstomer subtree.
Em I right?
Hm, yes, that's correct. You'll need to do something like utilize by * break appropriately, or have multiple "access to userPassword" ACLs by group, then a catchall after that.
I'm sorry - could you give me an example?
I just started to use the LDAP acl since few days... :)
I don't belive that this need is generated first time, but I don't found any example, or case-study.
Thanks again,
a.
openldap-technical@openldap.org
-
Ervin Hegedüs -
Quanah Gibson-Mount