Re: acl to read dn only

[Ron Peterson <rpeterso@mtholyoke.edu>]

2008-03-14_13:02:23-0400 Pierangelo Masarati <ando@sys-net.it>:
> Ron Peterson wrote:
> > I'm trying to create an acl which allow a particular use to search my
> > DIT and retrieve dn values only.  Perhaps a (broken) attempt at an acl
> > will help explain what I mean:
> > 
> > access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName
> >        by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read
> >        by * break
> > 
> > access to dn.children="dc=mtholyoke,dc=edu"
> >        by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search
> >        by * break
> > 
> > I want to use my proxysearchdn user to do the first step of a search and
> > bind operation, without giving that user any more access to objects than
> > necessary.
> > 
> > BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an
> > error.  Correct behaviour, I'm sure, but I'm not sure then how to say
> > what I mean.
> 
> attrs=entry will give access to the pseudo-attribute "entry", which
> implies access to the entry's DN.  That's what is checked when
> determining if an entry is to be returned by a search operation.

Ah, perfect.  When I replace 'distinguishedName' above w/ 'entry' I get
just what I was looking for.

Thanks!

-- 
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso