Thanks for the response Richard. This helps some, but how do I target the _members_ of, say 'cn=admins,ou=groups,dc=example,dc=com'? Thanks again, --BO On 4/2/07, Richard Megginson <rmeggins at redhat.com> wrote: > > Bjorn Oglefjorn wrote: > > Here's what I'm starting with: > > > > (targetattr = "userPassword" ) > > (target = "ldap:///dc=example,dc=com";) > > (version 3.0; > > acl "Support can change passwords"; > > allow (all) > > (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com";);) > > > > I just can't figure out how to write the exception. > You can add a separate deny aci - deny takes precedence over allow. > > --BO > > > > On 3/30/07, * Bjorn Oglefjorn* <sys.mailing at gmail.com > > <mailto:sys.mailing at gmail.com>> wrote: > > > > Or maybe it's not so complicated and I don't know how. ;) > > > > This is what I'm trying to accomplish: > > > > Users who are a member of the group 'cn=support' > > can perform ALL operations on 'userPassword', > > except on targets which are a member of group 'cn=admins' or > > 'cn=bosses'. > > > > Is this possible? I can't figure out how. Thanks in advance! > > --BO > > > > > > ------------------------------------------------------------------------ > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20070402/aef2f245/attachment.html
