Hello Michael, Am 30.06.2016 um 11:29 schrieb Michael Ströder: >> * ACL rules can't be bound to the ldap operation (search, auth, add, >> > modify, delete, ...), you can only remove e.g. some of the permission >> > bits (e.g. access to if-operation="search" ...) > Setting the privileges is IMO sufficient. > I see this differently. One example where this is useful would be the following: I would like to e.g. add a rule at the very top of all ACL definitions:
"access to attrs=uidNumber value=0 by * none stop" But this prevents that any other rule afterwards can make it *readable*. Having something like: "access to attrs=uidNumber value=0 if-operation="write,manage" by * none stop" would solve this problem. Best regards Florian -- Florian Best Open Source Software Engineer Univention GmbH be open Mary-Somerville-Str.1 28359 Bremen Tel.: +49 421 22232-0 Fax : +49 421 22232-99 [email protected] http://www.univention.de Geschäftsführer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876
