Am Thu, 17 Feb 2011 07:46:24 -0800
schrieb Troy Knabe <knabe(a)4j.lane.edu>:
On Feb 17, 2011, at 3:09 AM, Dieter Kluenter wrote:
> Am Wed, 16 Feb 2011 08:37:24 -0800
> schrieb Troy Knabe <knabe(a)4j.lane.edu>:
>> I didn't get any responses, so I am asking again. Did I not
>> phrase my question correctly, or am I missing something?
>> On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
>>> I am attempting to be very granular in the access that I give to
>>> my directory, but I seem to be struggling with the implementation.
>>> I have several proxy accounts that I want to grant the access to
>>> that they need, no more, no less. But I seem to have to put a
>>> line in like:
>>> access to dn.children="dc=company,dc=com" by * read in order to
>>> authenticate. What I thought I wanted was something like this:
>>> access to attrs=userPassword
>>> by dn.exact=proxy,dc=company,dc=com write
>>> by self write
>>> by anonymous auth
>>> But without read access above, it does not work. How can I allow
>>> proxy users/groups access w/out granting read access to everyone?
>>> Or does the dn.children allow read access to all attributes?
> You need access to the root entry pseudo attributes entry and
> children, something like
> access to dn.children=dc=company,dc=com by users read by * auth
> access to dn.base=dc=company,dc=com attrs=entry,children by * auth
That is what I thought, I just wasn't sure how to resolve it. Thank
you for the answers. So now I should be able to give specific access
to specific attributes for users/groups, correct?
Yes, but you should test this rules, slapd -dacl or -d384 is your
Dieter Klünter | Systemberatung
GPG Key ID:DA147B05