[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl to read dn only

To: openldap-software@openldap.org
Subject: Re: acl to read dn only
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 14 Mar 2008 18:02:23 +0100
In-reply-to: <20080314153605.GE31641@localhost.localdomain>
References: <20080314153605.GE31641@localhost.localdomain>
User-agent: Thunderbird 1.5.0.12 (X11/20080215)

Ron Peterson wrote:
> I'm trying to create an acl which allow a particular use to search my
> DIT and retrieve dn values only.  Perhaps a (broken) attempt at an acl
> will help explain what I mean:
> 
> access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName
>        by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read
>        by * break
> 
> access to dn.children="dc=mtholyoke,dc=edu"
>        by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search
>        by * break
> 
> I want to use my proxysearchdn user to do the first step of a search and
> bind operation, without giving that user any more access to objects than
> necessary.
> 
> BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an
> error.  Correct behaviour, I'm sure, but I'm not sure then how to say
> what I mean.

attrs=entry will give access to the pseudo-attribute "entry", which
implies access to the entry's DN.  That's what is checked when
determining if an entry is to be returned by a search operation.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: acl to read dn only
  - From: Ron Peterson <rpeterso@mtholyoke.edu>

References:
- acl to read dn only
  - From: Ron Peterson <rpeterso@mtholyoke.edu>

Prev by Date: acl to read dn only
Next by Date: Re: Constraint violation: structuralObjectClass: no user modification allow
Index(es):
- Chronological
- Thread