Bjorn Oglefjorn wrote:
Here's what I'm starting with:
(targetattr = "userPassword" )
(target = "ldap:///dc=example,dc=com")
(version 3.0;
acl "Support can change passwords";
allow (all)
(groupdn = "ldap:///cn=support,ou=groups,dc=example,dc=com");)
I just can't figure out how to write the exception.
You can add a separate deny
aci - deny takes precedence over allow.
--BO
On 3/30/07, * Bjorn Oglefjorn* <sys.mailing(a)gmail.com
<mailto:sys.mailing@gmail.com>> wrote:
Or maybe it's not so complicated and I don't know how. ;)
This is what I'm trying to accomplish:
Users who are a member of the group 'cn=support'
can perform ALL operations on 'userPassword',
except on targets which are a member of group 'cn=admins' or
'cn=bosses'.
Is this possible? I can't figure out how. Thanks in advance!
--BO
------------------------------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users