On Tue, Dec 02, 2008 at 02:14:52PM +1000, Brett @Google wrote: > Assuming we add to the above a user that has LESS access than the default ie: > > access to attr=c,o,ou,cn,sn,givenName,mail > by dn.exact=cn=limited,dc=example,dc=com > by * none (or break) > > This literally wont work as intended, because even if the above does > not match, the > > access to * > by self write > by users read > > Will always give users read by default.
You could split the rule into two clauses: access to attr=c,o,ou,cn,sn,givenName,mail,entry by dn.exact=cn=limited,dc=example,dc=com read by * break access to * by dn.exact=cn=limited,dc=example,dc=com none by * break Note that I have added the 'entry' pseudo-atribute to the first clause. Depending on the structure of your DIT you may also need to add rules to permit access to the RDN components of entries higher up the tree. The 'by * break' statement is an easy way of making sure this clause does not affect any other users. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------