On Feb 17, 2011, at 3:09 AM, Dieter Kluenter wrote:
Am Wed, 16 Feb 2011 08:37:24 -0800 schrieb Troy Knabe knabe@4j.lane.edu:
I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something?
Thanks! -Troy
On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
You need access to the root entry pseudo attributes entry and children, something like
access to dn.children=dc=company,dc=com by users read by * auth access to dn.base=dc=company,dc=com attrs=entry,children by * auth
That is what I thought, I just wasn't sure how to resolve it. Thank you for the answers. So now I should be able to give specific access to specific attributes for users/groups, correct?
-Troy