Please keep replies on the list.
On Mon, 19 Oct 2009, Edward Capriolo wrote:
[...cut...]
As you have said .*managed people are never able to auth, one that
rule is put in place. So If I understand you correctly I should do
this:
access to
dn.regex="mail=.*[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
attrs=userPassword,accountstatus
by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write stop
by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write stop
by * none break
access to attr=userPassword
by self write
by anonymous auth
by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
read
by
dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
read
by * none
?
Sure, that's a reasonable first move, if I'm understanding your desires
correctly. Personally I like being very very very explicit in my ACLs, so
I might actually write out dn.exact and put the * in "access to
attr=userPassword." But you can worry about that in version 5...
