Bjorn Oglefjorn wrote: > Here's what I'm starting with: > > (targetattr = "userPassword" ) > (target = "ldap:///dc=example,dc=com";) > (version 3.0; > acl "Support can change passwords"; > allow (all) > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com";);) > > I just can't figure out how to write the exception. You can add a separate deny aci - deny takes precedence over allow. > --BO > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing at gmail.com > <mailto:sys.mailing at gmail.com>> wrote: > > Or maybe it's not so complicated and I don't know how. ;) > > This is what I'm trying to accomplish: > > Users who are a member of the group 'cn=support' > can perform ALL operations on 'userPassword', > except on targets which are a member of group 'cn=admins' or > 'cn=bosses'. > > Is this possible? I can't figure out how. Thanks in advance! > --BO > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070402/cb279aeb/attachment.bin
