[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access



I think I am getting closer on this.  If I use what you have below, and I use 1.

1) ldapsearch "sn=Chiodi" 

I get just the dn field.  next if I search with 2.

2) ldapsearch -D "cn=JT Chiodi, dc=amsite, dc=com" "sn=Chiodi" -W

I get back an error.  This is correct because my dn contains an ou field.  and last
if I search with 3.

3) ldapsearch -D "cn=JT Chiodi,ou=Employee,dc=amsite, dc=com" "sn=Chiodi" -W

I get my entire record.  so everything looks good, but if I search
from Netscape it acts like the second sceniario.  I just get an error.  is there a
way I can use ou in my dn and still authenticate properly in netscape?  

Also if I want to use encrypted passwords for users, can I copy their /etc/shadow
entry and use that in the userpassword field like i an in the slapd.conf for root? 


> >I am trying the below which incorporates the changes you suggested.  I am still able
> >read anonymously.
> >
> >access to dn=".*,dc=amsite,dc=com" by dnattr=owner write
> 
> This rule is same as:
> 
> access to dn=".*,dc=amsite,dc=com"
> 	by dnattr=owner write
> 	by * default
> 
> where default is your default access (which I suspect is "read").
> 
> Assuming your are accessing some entry under "dc=amsite,dc=com",
> then other rules don't matter as this rule applied.
> 
> # only allow owner to change owner attribute values, might
> # be better to disallow owner write of owner value.
> access to attr=owner
> 	 by dnattr=owner write
>         by * read    # deny non-self including anon
> 
> access to attr=entry
>         by self write
> 	 by dnattr=owner write
>         by dn=".+" read
>         by * read   # allow anon read of DNs
> 
> access to attr=cn,givenName,sn,uid
>         by self write
> 	 by dnattr=owner write
>         by dn=".+" read
> 	 by * search	# allow anon search (but not read)
> 
> access to attr=userpassword
>         by self write
> 	 by dnattr=owner write
>         by * none    # deny non-self including anon
> 
> access to *
>         by self write
> 	 by dnattr=owner write
>         by dn=".+" read
>         by * none     # deny anon access
> 



___________________

Jt "The Squeegy" Chiodi

http://www.squeegy.org/
squeegy@squeegy.org