Gary Mann wrote: > > a question: we have a requirement where only users that have a role > are able to see role membership. so if i have role A, i can see the > membership for role A (search on nsRole=<roleA>) but cannot > necessarily see role B members, etc. the same restriction applies > when pulling the nsRole attribute. > > is there any way (via aci) to support this? i've implemented a plugin > (actually 2 - a computed attribute and preop) that supports this but > wanted to make sure that i wasn't missing something in aci setup that > would accomplish the same thing. Perhaps by using a targetfilter? e.g. assuming the role definition entry is cn=MyRole,ou=people,dc=example,dc=com dn: ou=people,dc=example,dc=com ... aci: (targetattr="uid || cn")(targetfilter="(nsRole=cn=MyRole,ou=people,dc=example,dc=com)")(version 3.0; acl "Allow people to see other role members"; allow (read, search, compare) roledn = "ldap:///cn=MyRole,ou=people,dc=example,dc=com";;) This allows people who are a member of MyRole to see the attributes uid and cn in any entry under ou=people which matches nsRole=cn=myRole,.... (i.e. any entry which belongs to that role). I haven't tried it out but this or something like this should work. See here for more info http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html#997355 > > Thanks, > Gary > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3312 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20050614/5a496f91/attachment.bin
