On Saturday 25 July 2009 06:17:27 pm John A. Sullivan III wrote: > As I mentioned, I've never tried it using just the value and swapping > attributes. I would expect it would work. We have used variable > substitution very successfully in some quite complex ACIs. > > (target = "ldap:///($dn),o=internal,dc=ssiservices,dc=biz")(targetattr ! > = "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl > "Client Internal Directory Searcher";allow (read,compare,search)(userdn > = "ldap:///uid=*dsearcher, [$dn],o=sysaccounts,dc=ssiservices,dc=biz");) > > I would have thought what you were doing would work just as you > described. The biggest problem we have faced is not being able to use > wildcards in groupdn although we can in userdn. > > I can say that using the complete attribute does work as advertised. > Hopefully the gurus will return to the list soon! I'd like to know why > what you have proposed doesn't work. Good luck - John <more snippage> I have gotten much closer. I think I'll need to tighten them up a bit (parents/children/etc), but here's where I got so far... http://messinet.com/trac/egw/browser/README.389DS Thanks for your help. If you think of anything else, let me know. I surely wouldn't call this solved. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090726/12c77539/attachment.bin
