That's a shame. Thanks for the push in the right direction though. --BO <div>On 4/2/07, Richard Megginson <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com </a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Bjorn Oglefjorn wrote: > Thanks for the response Richard. This helps some, but how do I target > the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? Hmm - not sure. I don't think this is possible. It doesn't appear that groupdn is supported in a target clause. If all of the entries could be identified by a search filter, you could use a (targetfilter=...) If you use Roles instead of groups, you could use targetfilter=(nsRole=dn_of_role_definition)). > > Thanks again, > --BO > > On 4/2/07, * Richard Megginson* <<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a> > <mailto:<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>> wrote: > > Bjorn Oglefjorn wrote: > > Here's what I'm starting with: > > > > (targetattr = "userPassword" ) > > (target = "ldap:///dc=example,dc=com") > > (version 3.0; > > acl "Support can change passwords"; > > allow (all) > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");) > > > > I just can't figure out how to write the exception. > You can add a separate deny aci - deny takes precedence over allow. > > --BO > > > > On 3/30/07, * Bjorn Oglefjorn* <<a href="mailto:sys.mailing@gmail.com">sys.mailing@gmail.com </a> > <mailto:<a href="mailto:sys.mailing@gmail.com">sys.mailing@gmail.com</a>> > > <mailto:<a href="mailto:sys.mailing@gmail.com">sys.mailing@gmail.com</a> <mailto:<a href="mailto:sys.mailing@gmail.com"> sys.mailing@gmail.com</a>>>> > wrote: > > > > Or maybe it's not so complicated and I don't know how. ;) > > > > This is what I'm trying to accomplish: > > > > Users who are a member of the group 'cn=support' > > can perform ALL operations on 'userPassword', > > except on targets which are a member of group 'cn=admins' or > > 'cn=bosses'. > > > > Is this possible? I can't figure out how. Thanks in advance! > > --BO > > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > <a href="mailto:Fedora-directory-users@redhat.com"> Fedora-directory-users@redhat.com</a> > <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>> > > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users"> https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> > > > > -- > Fedora-directory-users mailing list > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com </a> > <mailto:<a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>> > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users </a> > <<a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>> > > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users"> https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> > -- Fedora-directory-users mailing list <a href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/fedora-directory-users"> https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> </blockquote></div>