I can't seem to get this right. I have a bunch of users in a group, cn=noc,ou=groups,dc=company,dc=com
, who should be able to move a list between ou=internalLists,ou=mail,ou=service,dc=company,dc=com
to ou=externalLists,ou=mail,ou=service,dc=company,dc=com
.
The DN for that list is:
cn=mylist,ou=internalLists,ou=mail,ou=service,dc=company,dc=com
This is the ACLs i have for ou=mail,ou=service,dc=company,dc=com
subtree:
access to dn.subtree="ou=externalLists,ou=mail,ou=service,dc=company,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=noc,ou=Groups,dc=company,dc=com" write
by * break
access to dn.subtree="ou=internalLists,ou=mail,ou=service,dc=company,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=noc,ou=Groups,dc=company,dc=com" write
by * break
access to dn.subtree="ou=mail,ou=service,dc=company,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=ops,ou=Groups,dc=company,dc=com" write
by * read
The above ACLs work but they also give the group 'noc' access to move other lists as well. I just want it to restrict to that just one list (cn=mylist). So, I tried the following:
access to dn.subtree="ou=externalLists,ou=mail,ou=service,dc=company,dc=com"
filter="(cn=mylist)"
by group/groupOfUniqueNames/uniqueMember="cn=noc,ou=Groups,dc=company,dc=com" write
by * break
access to dn.subtree="ou=internalLists,ou=mail,ou=service,dc=company,dc=com"
filter="(cn=mylist)"
by group/groupOfUniqueNames/uniqueMember="cn=noc,ou=Groups,dc=company,dc=com" write
by * break
access to dn.subtree="ou=mail,ou=service,dc=company,dc=com"
by group/groupOfUniqueNames/uniqueMember="cn=ops,ou=Groups,dc=company,dc=com" write
by * read
This gives me 'Insufficient access' error. What am I doing wrong?