--- Chen Shaopeng <[EMAIL PROTECTED]> wrote:
>
> Note that ACIs are logically ORed during evaluation.
> And "deny"
> always takes precedence over "allow". So, your ACI
> which [deny(all)(userdn="ldap:///anyone";)] will take
> precendence
> over the other two. Therefore, even Test User is
> denied reading
> his own data.
>
> You can combine the 3 ACIs above into the following:
>
>
(targetattr="*")(target="ldap:///uid=testuser,ou=People,dc=dummy,dc=com";)
> (version 3.0;acl "Self and JDoe (but no anon to
> all)";
> deny(all)(userdn !=
> "ldap:///uid=testuser,ou=People,dc=dummy,dc=com ||
> ldap://uid=JDoe,ou=People,dc=dummy,dc=com";);)
>
> This tells the server to deny to all on that
> specific target except
> if userdn is "testuser" or "JDoe" .
>
> Hope that helps.
>
Thanks a lot, Chen! Exactly what I want :)
sz
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
--
Fedora-directory-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-directory-users
