I am attempting to be very granular in the access that I give to my directory, but I seem to be struggling with the implementation. I have several proxy accounts that I want to grant the access to that they need, no more, no less. But I seem to have to put a line in like: access to dn.children="dc=company,dc=com" by * read in order to authenticate. What I thought I wanted was something like this: access to attrs=userPassword by dn.exact=proxy,dc=company,dc=com write by self write by anonymous auth But without read access above, it does not work. How can I allow proxy users/groups access w/out granting read access to everyone? Or does the dn.children allow read access to all attributes?

I didn't get any responses, so I am asking again. Did I not phrase my question correctly, or am I missing something? Thanks! -Troy On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote: > I am attempting to be very granular in the access that I give to my > directory, but I seem to be struggling with the implementation. > > I have several proxy accounts that I want to grant the access to > that they need, no more, no less. But I seem to have to put a line > in like: > > access to dn.children="dc=company,dc=com" by * read in order to > authenticate. What I thought I wanted was something like this: > > access to attrs=userPassword > by dn.exact=proxy,dc=company,dc=com write > by self write > by anonymous auth > > But without read access above, it does not work. How can I allow > proxy users/groups access w/out granting read access to everyone? > Or does the dn.children allow read access to all attributes?

On Feb 17, 2011, at 3:09 AM, Dieter Kluenter wrote: > Am Wed, 16 Feb 2011 08:37:24 -0800 > schrieb Troy Knabe <knabe(a)4j.lane.edu&gt;: > >> I didn't get any responses, so I am asking again. Did I not >> phrase my question correctly, or am I missing something? >> >> Thanks! >> -Troy >> >> >> On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote: >> >>> I am attempting to be very granular in the access that I give to >>> my directory, but I seem to be struggling with the implementation. >>> >>> I have several proxy accounts that I want to grant the access to >>> that they need, no more, no less. But I seem to have to put a >>> line in like: >>> >>> access to dn.children="dc=company,dc=com" by * read in order to >>> authenticate. What I thought I wanted was something like this: >>> >>> access to attrs=userPassword >>> by dn.exact=proxy,dc=company,dc=com write >>> by self write >>> by anonymous auth >>> >>> But without read access above, it does not work. How can I allow >>> proxy users/groups access w/out granting read access to everyone? >>> Or does the dn.children allow read access to all attributes? > > You need access to the root entry pseudo attributes entry and > children, something like > > access to dn.children=dc=company,dc=com by users read by * auth > access to dn.base=dc=company,dc=com attrs=entry,children by * auth That is what I thought, I just wasn't sure how to resolve it. Thank you for the answers. So now I should be able to give specific access to specific attributes for users/groups, correct?