I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something?
Thanks! -Troy
On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
I am far from an expert but I believe that the dn.children line you have does grant worldwide read access to everything below dc=company,dc=com
I had similar problems to yours and i eventually added rules like this:
access to dn.one="" by * read
access to dn.one="dc=com" by * read
and then the user authenticating already had some access to dc=company,dc=com. Once I did that, things started working the way I hoped.
On Feb 16, 2011, at 11:37 AM, Troy Knabe wrote:
I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something?
Thanks! -Troy
On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
Dan Pritts, Sr. Systems Engineer Internet2 office: +1-734-352-4953 | mobile: +1-734-834-7224
Am Wed, 16 Feb 2011 08:37:24 -0800 schrieb Troy Knabe knabe@4j.lane.edu:
I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something?
Thanks! -Troy
On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
You need access to the root entry pseudo attributes entry and children, something like
access to dn.children=dc=company,dc=com by users read by * auth access to dn.base=dc=company,dc=com attrs=entry,children by * auth
-Dieter
On Feb 17, 2011, at 3:09 AM, Dieter Kluenter wrote:
Am Wed, 16 Feb 2011 08:37:24 -0800 schrieb Troy Knabe knabe@4j.lane.edu:
I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something?
Thanks! -Troy
On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
You need access to the root entry pseudo attributes entry and children, something like
access to dn.children=dc=company,dc=com by users read by * auth access to dn.base=dc=company,dc=com attrs=entry,children by * auth
That is what I thought, I just wasn't sure how to resolve it. Thank you for the answers. So now I should be able to give specific access to specific attributes for users/groups, correct?
-Troy
Am Thu, 17 Feb 2011 07:46:24 -0800 schrieb Troy Knabe knabe@4j.lane.edu:
On Feb 17, 2011, at 3:09 AM, Dieter Kluenter wrote:
Am Wed, 16 Feb 2011 08:37:24 -0800 schrieb Troy Knabe knabe@4j.lane.edu:
I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something?
Thanks! -Troy
On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation.
I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like:
access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this:
access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth
But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?
You need access to the root entry pseudo attributes entry and children, something like
access to dn.children=dc=company,dc=com by users read by * auth access to dn.base=dc=company,dc=com attrs=entry,children by * auth
That is what I thought, I just wasn't sure how to resolve it. Thank you for the answers. So now I should be able to give specific access to specific attributes for users/groups, correct?
Yes, but you should test this rules, slapd -dacl or -d384 is your friend.
-Dieter
openldap-technical@openldap.org
-
Dan Pritts -
Dieter Kluenter -
Troy Knabe