[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap queries rewriting

To: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Subject: Re: ldap queries rewriting
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Wed, 5 Dec 2007 13:58:41 -0500 (EST)
Cc: openldap-software@openldap.org

If the copier has a Bind DN option, then something along the lines of...

access to dn.subtree="ou=Engineering,dc=example,dc=com"
  by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" read
  by [...everythingelse...]

access to *
  by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" none
  by [...everythingelse...]

If it doesn't, you could substitute the "dn.exact" with "peername.ip." Super disgusting, but it'd probably work.

(NOTE: if you're going to write back "they're all in ou=People" try

access to dn.subtree="ou=People,dc=example,dc=com"
  filter="(dept=Engineering)"
  by dn.exact="cn=EngineeringCopier,ou=Devices,dc=example,dc=com" read
  by [...everythingelse...])

Follow-Ups:
- Re: ldap queries rewriting
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

Prev by Date: Re: access control
Next by Date: CRL expiration
Index(es):
- Chronological
- Thread