[Fedora-directory-users] what's wrong with this ACI?
speedy zinc
speedy_zinc at yahoo.com
Fri Nov 4 07:46:02 UTC 2005
I've created two user entries under People:
Test User: uid=testuser
Jane Doe : uid=JDoe
Here's what I'm trying to achieve with access control:
- Turn off anon access to the entry Test User
- Allow full access to Test User on Test User
- Allow (read, search, compare) to JDoe on Test User,
and
no other users
- Allow full access to "cn=Directory Manager" on Test
User.
- Anon access is still allowed on other entries
So, here is the list of ACIs (besides the inherited
ones)
that I've created on the entry Test User:
(targetattr = "*") (version 3.0;acl "self";allow
(all)(userdn = "ldap:///uid=testuser,ou=People,
dc=dummy,dc=com");)
(targetattr != "userPassword") (version 3.0;acl "No
anonymous access";deny (all)(userdn =
"ldap:///anyone");)
(targetattr = "*") (target =
"ldap:///uid=testuser,ou=People, dc=dummy,dc=com")
(version 3.0;acl "Allow JDoe";allow
(read,compare,search)(userdn =
"ldap:///uid=JDoe,ou=People, dc=dummy,dc=com");)
With the ACIs above, it seems that the "No anonymous
access"
is taking precendence over the other two. Even the
"Test
User" does not have access to its own data, and JDoe
certainly does not either. The only user who has
access
is the Directory Manager.
How do I achieve my goals with ACI?
thanks a lot.
sz.
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the Fedora-directory-users
mailing list