On Wed, Dec 3, 2008 at 12:30 AM, Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
You could split the rule into two clauses:
access to attr=c,o,ou,cn,sn,givenName,mail,entry by dn.exact=cn=limited,dc=example,dc=com read by * break
access to * by dn.exact=cn=limited,dc=example,dc=com none by * break
Thanks for your assistance andrew, this approach seems to be working well.
I needed to add more attributes, but primarily only to make my ldap browser happy, allow syncrepl, and some handy informational attributes for the carbon based lifeforms who maintain the data.
Cheers Brett
For posterity, and google, the final config came out as:
# allow replicator to read all access to * by dn.exact="cn=replicator,dc=example,dc=com" read by * break
# restrcted set of non-operational attributes access to attr=c,o,ou,cn,sn,givenName,mail,entry by dn.exact="cn=limited,dc=example,dc=com" read by * break
# for browsing / syncrepl access to attr=objectClass,hasSubordinates,entryDN,entryCSN,entryUUID by dn.exact="cn=limited,dc=example,dc=com" read by * break
# modify/create information access to attr=createTimeStamp,modifyTimestamp,creatorsName,modifiersName by dn.exact="cn=limited,dc=example,dc=com" read by * break
# disallow other access by limited user access to * by dn.exact="cn=limited,dc=example,dc=com" none by * break
# default rules access to * by self write by * read