[Date Prev][Date Next]
questions about acls.
okay i'm trying to lock down my ldap server and have a couple questions
that i'm not sure about.
so, here are some questions
- what does the token "auth" actually mean and how is it different from
- which is the difference between "search" and "read" (does search mean
you can pass through a node without actually being able to read
data? like the execute bit on a unix directory without the read bit?)
- what information does a user require access to in order to bind to the
ldap server? obviously they need access to "userPassword" but
presumably they also need the ability to read their RDN, and to search
to the point where their DN is stored?
- (sorry this is off topic but i'm hoping someone knows) does the
pam/nssldap user require (in my case proxyagent) write access for users
to be able to update their password via pam? or do the pam libraries
bind as the user for that operation?
- is there anyway to be able to use an acl in the form of:
access to *
by group="cn=admin,ou=group,dc=example,dc=net" write
by * none
where the group "admin" is a "posixGroup" and the member are included
with the attribute "memberUid". if not then how should i be doing it?
do i need to change "admin" from a "posixGroup" to a "groupOfNames"?
if there is a stash of example acl's somewhere i'd love to know about it.
i've ransacked the net but it's hard going finding examples doing what i
want to do.