[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Issues

Subject: Re: ACL Issues
From: Troy Knabe <knabe@4j.lane.edu>
Date: Wed, 16 Feb 2011 08:37:24 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <078A3B5A-B0DF-46F7-A98A-D43520061270@4j.lane.edu>
References: <078A3B5A-B0DF-46F7-A98A-D43520061270@4j.lane.edu>

I didn't get any responses, so I am asking again.   Did I not phrase my question correctly, or am I missing something?

Thanks!
-Troy


On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:

> I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
> 
> I have several proxy accounts that I want to grant the access to that they need, no more, no less.  But I seem to have to put a line in like:
> 
> access to dn.children="dc=company,dc=com" by * read in order to authenticate.  What I thought I wanted was something like this:
> 
> access to attrs=userPassword
> 	by dn.exact=proxy,dc=company,dc=com write
> 	by self write
> 	by anonymous auth
> 
> But without read access above, it does not work.  How can I allow proxy users/groups access w/out granting read access to everyone?  Or does the dn.children allow read access to all attributes?
>

Follow-Ups:
- Re: ACL Issues
  - From: Dan Pritts <danno@internet2.edu>
- Re: ACL Issues
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- ACL Issues
  - From: Troy Knabe <knabe@4j.lane.edu>

Prev by Date: Re: ldap auth does not works after openldap upgrade
Next by Date: Re: Error: CSN too old and replication fails
Index(es):
- Chronological
- Thread