[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: permissions (acl) for nss_ldap

access to attr=objectClass
       by dn="your-admin-dn-here" write
       by * read

Interesting. So giving access to an objectclass gives the entity (DN, group, etc) access to all attributes under that objectclass?


In this order, the security of your password will be protected, but the read access to the objectClass possixAccount needed by nss_ldap will be provided. You can't specify access to possixAccount without giving access to objectClass because the former is a value of the latter.

Your rootbinddn should then be whatever you set as your admindn. You could
also set up a special user to do this root binding. I use the same one I
use for replication. You will need to put the password for this user in
/etc/ldap.secret in plain text, so this file should be readable only by


On Mon, 14 Jan 2002, Stephan Lauffer wrote:


hope it's not to OT here...

maybe somebody has allready checked out acl settings
for the use of nss_ldap (objectclass: possixAccount should
define the needed attributes).
I wanna have a minimum of needed permissions.
Thinking about adding a new "rootbinddn" (see ldap.conf)
for every host using nss_ldap...
Can somebody please tell me what permissions are needed
for nss_ldap?

Liebe Gruesse, with best regards
Stephan Lauffer

[ Pedagogical University Freiburg - Germany ]
[ http://www.ph-freiburg.de/zik/            ]