--- Chen Shaopeng <chen_shaopeng at idsignet.com> wrote: > > Note that ACIs are logically ORed during evaluation. > And "deny" > always takes precedence over "allow". So, your ACI > which [deny(all)(userdn="ldap:///anyone";)] will take > precendence > over the other two. Therefore, even Test User is > denied reading > his own data. > > You can combine the 3 ACIs above into the following: > > (targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com";) > (version 3.0;acl "Self and JDoe (but no anon to > all)"; > deny(all)(userdn != > "ldap:///uid=testuser,ou=People,dc=dummy,dc=com || > ldap://uid=JDoe,ou=People,dc=dummy,dc=com";);) > > This tells the server to deny to all on that > specific target except > if userdn is "testuser" or "JDoe" . > > Hope that helps. > Thanks a lot, Chen! Exactly what I want :) sz __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com
