Re: acls and restricting permissions

["Brett @Google" <brett.maxfield@gmail.com>]

On Wed, Dec 3, 2008 at 12:30 AM, Andrew Findlay
<andrew.findlay@skills-1st.co.uk> wrote:
> You could split the rule into two clauses:
>
> access to attr=c,o,ou,cn,sn,givenName,mail,entry
>     by dn.exact=cn=limited,dc=example,dc=com read
>     by * break
>
> access to *
>     by dn.exact=cn=limited,dc=example,dc=com none
>     by * break

Thanks for your assistance andrew, this approach seems to be working well.

I needed to add more attributes, but primarily only to make my ldap
browser happy, allow syncrepl, and some handy informational attributes
for the carbon based lifeforms who maintain the data.

Cheers
Brett

For posterity, and google, the final config came out as:

# allow replicator to read all
access to *
    by dn.exact="cn=replicator,dc=example,dc=com" read
    by * break

# restrcted set of non-operational attributes
access to attr=c,o,ou,cn,sn,givenName,mail,entry
    by dn.exact="cn=limited,dc=example,dc=com" read
    by * break

# for browsing / syncrepl
access to attr=objectClass,hasSubordinates,entryDN,entryCSN,entryUUID
    by dn.exact="cn=limited,dc=example,dc=com" read
    by * break

# modify/create information
access to attr=createTimeStamp,modifyTimestamp,creatorsName,modifiersName
    by dn.exact="cn=limited,dc=example,dc=com" read
    by * break

# disallow other access by limited user
access to *
    by dn.exact="cn=limited,dc=example,dc=com" none
    by * break

# default rules
access to *
    by self write
    by * read