Thanks again,
--BO
On 4/2/07,
Richard Megginson <rmeggins@xxxxxxxxxx> wrote:
Bjorn Oglefjorn wrote:
> Here's what I'm starting with:
>
> (targetattr = "userPassword" )
> (target = "ldap:///dc=example,dc=com")
> (version 3.0;
> acl "Support can change passwords";
> allow (all)
> (groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");)
>
> I just can't figure out how to write the exception.
You can add a separate deny aci - deny takes precedence over allow.
> --BO
>
> On 3/30/07, * Bjorn Oglefjorn* <sys.mailing@xxxxxxxxx
> <mailto:sys.mailing@xxxxxxxxx>> wrote:
>
> Or maybe it's not so complicated and I don't know how. ;)
>
> This is what I'm trying to accomplish:
>
> Users who are a member of the group 'cn=support'
> can perform ALL operations on 'userPassword',
> except on targets which are a member of group 'cn=admins' or
> 'cn=bosses'.
>
> Is this possible? I can't figure out how. Thanks in advance!
> --BO
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
