Re: ACL Issues

[Dan Pritts <danno@internet2.edu>]

I am far from an expert but I believe that the dn.children line you have does grant worldwide read access to everything below dc=company,dc=com

I had similar problems to yours and i eventually added rules like this:

access to dn.one="" 
	by * read

access to dn.one="dc=com"
	by * read

and then the user authenticating already had some access to dc=company,dc=com.  Once I did that, things started working the way I hoped.

On Feb 16, 2011, at 11:37 AM, Troy Knabe wrote:
> I didn't get any responses, so I am asking again.   Did I not phrase my question correctly, or am I missing something?
> 
> Thanks!
> -Troy
> 
> 
> On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
> 
>> I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
>> 
>> I have several proxy accounts that I want to grant the access to that they need, no more, no less.  But I seem to have to put a line in like:
>> 
>> access to dn.children="dc=company,dc=com" by * read in order to authenticate.  What I thought I wanted was something like this:
>> 
>> access to attrs=userPassword
>> 	by dn.exact=proxy,dc=company,dc=com write
>> 	by self write
>> 	by anonymous auth
>> 
>> But without read access above, it does not work.  How can I allow proxy users/groups access w/out granting read access to everyone?  Or does the dn.children allow read access to all attributes?
>> 
> 


Dan Pritts, Sr. Systems Engineer
Internet2
office: +1-734-352-4953 | mobile: +1-734-834-7224