That's a shame. Thanks for the push in the right direction though.<br>--BO<br><br><div><span class="gmail_quote">On 4/2/07, <b class="gmail_sendername">Richard Megginson</b> <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Bjorn Oglefjorn wrote:<br>> Thanks for the response Richard. This helps some, but how do I target
<br>> the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'?<br>Hmm - not sure. I don't think this is possible. It doesn't appear that<br>groupdn is supported in a target clause. If all of the entries could be
<br>identified by a search filter, you could use a (targetfilter=...) If<br>you use Roles instead of groups, you could use<br>targetfilter=(nsRole=dn_of_role_definition)).<br>><br>> Thanks again,<br>> --BO<br>>
<br>> On 4/2/07, * Richard Megginson* <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><br>> <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>> wrote:<br>><br>> Bjorn Oglefjorn wrote:
<br>> > Here's what I'm starting with:<br>> ><br>> > (targetattr = "userPassword" )<br>> > (target = "ldap:///dc=example,dc=com")<br>> > (version
3.0;<br>> > acl "Support can change passwords";<br>> > allow (all)<br>> > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");)<br>> ><br>> > I just can't figure out how to write the exception.
<br>> You can add a separate deny aci - deny takes precedence over allow.<br>> > --BO<br>> ><br>> > On 3/30/07, * Bjorn Oglefjorn* <<a href="mailto:sys.mailing@gmail.com">sys.mailing@gmail.com
</a><br>> <mailto:<a href="mailto:sys.mailing@gmail.com">sys.mailing@gmail.com</a>><br>> > <mailto:<a href="mailto:sys.mailing@gmail.com">sys.mailing@gmail.com</a> <mailto:<a href="mailto:sys.mailing@gmail.com">
sys.mailing@gmail.com</a>>>><br>> wrote:<br>> ><br>> > Or maybe it's not so complicated and I don't know how. ;)<br>> ><br>> > This is what I'm trying to accomplish:
<br>> ><br>> > Users who are a member of the group 'cn=support'<br>> > can perform ALL operations on 'userPassword',<br>> > except on targets which are a member of group 'cn=admins' or
<br>> > 'cn=bosses'.<br>> ><br>> > Is this possible? I can't figure out how. Thanks in advance!<br>> > --BO<br>> ><br>> ><br>> >
<br>> ------------------------------------------------------------------------<br>> ><br>> > --<br>> > Fedora-directory-users mailing list<br>> > <a href="mailto:Fedora-directory-users@redhat.com">
Fedora-directory-users@redhat.com</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>><br>> > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>> ><br>><br>> --<br>> Fedora-directory-users mailing list<br>> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com
</a><br>> <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>><br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users
</a><br>> <<a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>><br>><br>><br>><br>> ------------------------------------------------------------------------
<br>><br>> --<br>> Fedora-directory-users mailing list<br>> <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br>> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br>><br><br>--<br>Fedora-directory-users mailing list<br><a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a><br><a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">
https://www.redhat.com/mailman/listinfo/fedora-directory-users</a><br><br><br></blockquote></div><br>