[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl to read dn only

Ron Peterson wrote:
> I'm trying to create an acl which allow a particular use to search my
> DIT and retrieve dn values only.  Perhaps a (broken) attempt at an acl
> will help explain what I mean:
> access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName
>        by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read
>        by * break
> access to dn.children="dc=mtholyoke,dc=edu"
>        by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search
>        by * break
> I want to use my proxysearchdn user to do the first step of a search and
> bind operation, without giving that user any more access to objects than
> necessary.
> BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an
> error.  Correct behaviour, I'm sure, but I'm not sure then how to say
> what I mean.

attrs=entry will give access to the pseudo-attribute "entry", which
implies access to the entry's DN.  That's what is checked when
determining if an entry is to be returned by a search operation.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it