[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access
I think I am getting closer on this. If I use what you have below, and I use 1.
1) ldapsearch "sn=Chiodi"
I get just the dn field. next if I search with 2.
2) ldapsearch -D "cn=JT Chiodi, dc=amsite, dc=com" "sn=Chiodi" -W
I get back an error. This is correct because my dn contains an ou field. and last
if I search with 3.
3) ldapsearch -D "cn=JT Chiodi,ou=Employee,dc=amsite, dc=com" "sn=Chiodi" -W
I get my entire record. so everything looks good, but if I search
from Netscape it acts like the second sceniario. I just get an error. is there a
way I can use ou in my dn and still authenticate properly in netscape?
Also if I want to use encrypted passwords for users, can I copy their /etc/shadow
entry and use that in the userpassword field like i an in the slapd.conf for root?
> >I am trying the below which incorporates the changes you suggested. I am still able
> >read anonymously.
> >
> >access to dn=".*,dc=amsite,dc=com" by dnattr=owner write
>
> This rule is same as:
>
> access to dn=".*,dc=amsite,dc=com"
> by dnattr=owner write
> by * default
>
> where default is your default access (which I suspect is "read").
>
> Assuming your are accessing some entry under "dc=amsite,dc=com",
> then other rules don't matter as this rule applied.
>
> # only allow owner to change owner attribute values, might
> # be better to disallow owner write of owner value.
> access to attr=owner
> by dnattr=owner write
> by * read # deny non-self including anon
>
> access to attr=entry
> by self write
> by dnattr=owner write
> by dn=".+" read
> by * read # allow anon read of DNs
>
> access to attr=cn,givenName,sn,uid
> by self write
> by dnattr=owner write
> by dn=".+" read
> by * search # allow anon search (but not read)
>
> access to attr=userpassword
> by self write
> by dnattr=owner write
> by * none # deny non-self including anon
>
> access to *
> by self write
> by dnattr=owner write
> by dn=".+" read
> by * none # deny anon access
>
___________________
Jt "The Squeegy" Chiodi
http://www.squeegy.org/
squeegy@squeegy.org
- References:
- Re: access
- From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>