[389-users] Client ACI question
Matti Alho
listat at alho.fi
Thu Jan 3 06:56:25 UTC 2013
>> "uid=serveruser1,ou=ServerUsers,dc=domain,dc=com"
>> ==> has access to
>> "cn=Project1,ou=Projects,dc=domain,dc=com"
>> AND
>> "cn=Project2,ou=Projects,dc=domain,dc=com"
>> ==> deny access to other entries in "ou=Projects,dc=domain,dc=com"
> you could use targetfilter like:
>
> (targetfilter = "(|(cn=Project1)(cn=Project2))"
>
> to restrict application of the aci to these entries and list several
> useers in the bind rules, or
>
> you could add na attribute like manager to hese entries, eg:
> cn=Project2,ou=Projects,dc=domain,dc=com
> ...
> manager: uid=serveruser1,ou=ServerUsers,dc=domain,dc=com
>
> and create an aci like:
> aci: (target="ldap:///dc=domain,dc=com")(targetattr=*)(version 3.0;acl
> "manag
> er-write"; allow (all) userattr = "manager#USERDN";)
>
> If the attribute you're using is multivalued, it should work defining
> several users.
Thanks for the example! Now I'm starting to understand how it works.
-Matti
More information about the 389-users
mailing list