[Date Prev][Date Next] [Chronological] [Thread] [Top]

questions about acls.

okay i'm trying to lock down my ldap server and have a couple questions
that i'm not sure about.

so, here are some questions

- what does the token "auth" actually mean and how is it different from

- which is the difference between "search" and "read" (does search mean
  you can pass through a node without actually being able to read
  data? like the execute bit on a unix directory without the read bit?)

- what information does a user require access to in order to bind to the
  ldap server?  obviously they need access to "userPassword" but
  presumably they also need the ability to read their RDN, and to search
  to the point where their DN is stored?

- (sorry this is off topic but i'm hoping someone knows) does the
  pam/nssldap user require (in my case proxyagent) write access for users
  to be able to update their password via pam?  or do the pam libraries
  bind as the user for that operation?

- is there anyway to be able to use an acl in the form of:

  access to *
    by group="cn=admin,ou=group,dc=example,dc=net" write
    by * none

  where the group "admin" is a "posixGroup" and the member are included
  with the attribute "memberUid".  if not then how should i be doing it?
  do i need to change "admin" from a "posixGroup" to a "groupOfNames"?

if there is a stash of example acl's somewhere i'd love to know about it.
i've ransacked the net but it's hard going finding examples doing what i
want to do.