[Fedora-directory-users] Re: Complicated ACI Definitions
Richard Megginson
rmeggins at redhat.com
Mon Apr 2 16:17:49 UTC 2007
Bjorn Oglefjorn wrote:
> Here's what I'm starting with:
>
> (targetattr = "userPassword" )
> (target = "ldap:///dc=example,dc=com")
> (version 3.0;
> acl "Support can change passwords";
> allow (all)
> (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");)
>
> I just can't figure out how to write the exception.
You can add a separate deny aci - deny takes precedence over allow.
> --BO
>
> On 3/30/07, * Bjorn Oglefjorn* <sys.mailing at gmail.com
> <mailto:sys.mailing at gmail.com>> wrote:
>
> Or maybe it's not so complicated and I don't know how. ;)
>
> This is what I'm trying to accomplish:
>
> Users who are a member of the group 'cn=support'
> can perform ALL operations on 'userPassword',
> except on targets which are a member of group 'cn=admins' or
> 'cn=bosses'.
>
> Is this possible? I can't figure out how. Thanks in advance!
> --BO
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070402/cb279aeb/attachment.bin>
More information about the Fedora-directory-users
mailing list