[Fedora-directory-users] Re: Complicated ACI Definitions
Bjorn Oglefjorn
sys.mailing at gmail.com
Mon Apr 2 16:26:45 UTC 2007
Thanks for the response Richard. This helps some, but how do I target the
_members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'?
Thanks again,
--BO
On 4/2/07, Richard Megginson <rmeggins at redhat.com> wrote:
>
> Bjorn Oglefjorn wrote:
> > Here's what I'm starting with:
> >
> > (targetattr = "userPassword" )
> > (target = "ldap:///dc=example,dc=com")
> > (version 3.0;
> > acl "Support can change passwords";
> > allow (all)
> > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");)
> >
> > I just can't figure out how to write the exception.
> You can add a separate deny aci - deny takes precedence over allow.
> > --BO
> >
> > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing at gmail.com
> > <mailto:sys.mailing at gmail.com>> wrote:
> >
> > Or maybe it's not so complicated and I don't know how. ;)
> >
> > This is what I'm trying to accomplish:
> >
> > Users who are a member of the group 'cn=support'
> > can perform ALL operations on 'userPassword',
> > except on targets which are a member of group 'cn=admins' or
> > 'cn=bosses'.
> >
> > Is this possible? I can't figure out how. Thanks in advance!
> > --BO
> >
> >
> > ------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070402/aef2f245/attachment.htm>
More information about the Fedora-directory-users
mailing list