On Sun, 2005-12-11 at 14:11 -0700, Richard Megginson wrote: > >Yeah you are correct on all these accounts. Obviously the default rule > >is always to not allow whatever isn't expressly permitted and yes, there > >was the default anonymous allow rule that played into it. > > > >What I did discover was if I attached the following ACI to > >ou=AddressBook,dc=clsurvey,dc=com it doesn't work but if I attach it to > >dc=clsurvey,dc=com it does work. > > > > > I'm not sure why, but most of the time, the (target = ..) clause is not > necessary. acis have subtree scope - they apply to the entry containing > the aci and all children and decendents of that entry. So if the > following aci is in the entry dc=clsurvey,dc=com, you don't need the > (target....) clause. > > >(targetattr = "*") > >(target = "ldap:///*,ou=AddressBook,dc=clsurvey,dc=com";) > >(version 3.0; > >acl "AddressBook Administrator"; > >allow (all) > >(userdn = > >"ldap:///uid=Administrator,ou=People,ou=Accounts,dc=clsurvey,dc=com";) > >;) ---- If I remove the 'target' phrase, the ACI takes on an entirely different meaning - that the dn can read and write anything inside of dc=clsurvey,dc=com and my interest was only that the dn can do anything inside the target itself. My point was simply that if I attached that same ACI to the target itself, it doesn't work. If I attach it to dc=clsurvey,dc=com - it works. Thanks Craig -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
