[Date Prev][Date Next]
Re: ACL Issues
Am Wed, 16 Feb 2011 08:37:24 -0800
schrieb Troy Knabe <firstname.lastname@example.org>:
> I didn't get any responses, so I am asking again. Did I not phrase
> my question correctly, or am I missing something?
> On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
> > I am attempting to be very granular in the access that I give to my
> > directory, but I seem to be struggling with the implementation.
> > I have several proxy accounts that I want to grant the access to
> > that they need, no more, no less. But I seem to have to put a line
> > in like:
> > access to dn.children="dc=company,dc=com" by * read in order to
> > authenticate. What I thought I wanted was something like this:
> > access to attrs=userPassword
> > by dn.exact=proxy,dc=company,dc=com write
> > by self write
> > by anonymous auth
> > But without read access above, it does not work. How can I allow
> > proxy users/groups access w/out granting read access to everyone?
> > Or does the dn.children allow read access to all attributes?
You need access to the root entry pseudo attributes entry and children,
access to dn.children=dc=company,dc=com by users read by * auth
access to dn.base=dc=company,dc=com attrs=entry,children by * auth
Dieter Klünter | Systemberatung
GPG Key ID:DA147B05