Here's what I'm starting with: (targetattr = "userPassword" ) (target = "ldap:///dc=example,dc=com";) (version 3.0; acl "Support can change passwords"; allow (all) (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com";);) I just can't figure out how to write the exception. --BO On 3/30/07, Bjorn Oglefjorn <sys.mailing at gmail.com> wrote: > > Or maybe it's not so complicated and I don't know how. ;) > > This is what I'm trying to accomplish: > > Users who are a member of the group 'cn=support' > can perform ALL operations on 'userPassword', > except on targets which are a member of group 'cn=admins' or 'cn=bosses'. > > > Is this possible? I can't figure out how. Thanks in advance! > --BO > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070402/1086c71b/attachment.html
