[sorry, should have gone to the list]
On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote:
access to dn.base="ou=system,dc=example,dc=com" by dn.exact="uid=userx,ou=people,dc=example,dc=com" write
This gives 'uid=userx,...' access to 'ou=system,...' _and everything below it_.
access to dn.exact="ou=system,dc=example,dc=com" by dn.base="uid=userx,ou=people,dc=example,dc=com" write
While this is the opposite - it gives 'uid=userx,...' and any objects below this (not much point in this exact example :) to ONLY the base object 'ou=system,...'.
For example:
----- s n i p ----- access to dn.exact=""
attrs=supportedSASLMechanisms,namingContexts,subschemaSubentry,objectClass,monitorContext,configContext,entry by domain.subtree="bayour.com" read by peername.ip="127.0.0.1" read by peername.ip="192.168.69.8" read by peername.path="/var/run/slapd/ldapi" read ----- s n i p -----
This gives almost anonymous access to certain attributes to the base DN...
Sent: Thu May 24 2012 07:38:35 GMT-0400 (EDT) From: Turbo Fredriksson turbo@bayour.com To: openldap-technical@openldap.org Subject: Re: dn.exact vs dn.base
[sorry, should have gone to the list]
On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote:
access to dn.base="ou=system,dc=example,dc=com" by dn.exact="uid=userx,ou=people,dc=example,dc=com" write
This gives 'uid=userx,...' access to 'ou=system,...' _and everything below it_.
access to dn.exact="ou=system,dc=example,dc=com" by dn.base="uid=userx,ou=people,dc=example,dc=com" write
While this is the opposite - it gives 'uid=userx,...' and any objects below this (not much point in this exact example :) to ONLY the base object 'ou=system,...'.
Your'e thinking of dn.subtree. dn.base only applies to the specific entry.
openldap-technical@openldap.org
-
Patrick H. -
Turbo Fredriksson