If the copier has a Bind DN option, then something along the lines of...
access to dn.subtree="ou=Engineering,dc=example,dc=com" by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" read by [...everythingelse...]
access to * by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" none by [...everythingelse...]
If it doesn't, you could substitute the "dn.exact" with "peername.ip." Super disgusting, but it'd probably work.
(NOTE: if you're going to write back "they're all in ou=People" try
access to dn.subtree="ou=People,dc=example,dc=com" filter="(dept=Engineering)" by dn.exact="cn=EngineeringCopier,ou=Devices,dc=example,dc=com" read by [...everythingelse...])
Aaron Richton wrote:
If the copier has a Bind DN option, then something along the lines of...
access to dn.subtree="ou=Engineering,dc=example,dc=com" by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" read by [...everythingelse...]
access to * by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" none by [...everythingelse...]
Excellent, I thought ACLs were restricted to attributes only, not to whole entries.
If it doesn't, you could substitute the "dn.exact" with "peername.ip." Super disgusting, but it'd probably work.
Bind dn option failed because printer doesn't allow to install ca certificates, nor to do ssl/tls without checking server certificates, and autentication is only permitted through encrypted connection, so I had to rely on copier IP.
Thanks !
openldap-software@openldap.org
-
Aaron Richton -
Guillaume Rousse