[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap queries rewriting

To: Aaron Richton <richton@nbcs.rutgers.edu>, openldap-software@openldap.org
Subject: Re: ldap queries rewriting
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Date: Thu, 06 Dec 2007 12:44:12 +0100
In-reply-to: <Pine.SOC.4.64.0712051345380.4806@toolbox.rutgers.edu>
References: <Pine.SOC.4.64.0712051345380.4806@toolbox.rutgers.edu>
User-agent: Thunderbird 2.0.0.9 (X11/20071128)

Aaron Richton wrote:

If the copier has a Bind DN option, then something along the lines of...

access to dn.subtree="ou=Engineering,dc=example,dc=com"
  by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" read
  by [...everythingelse...]

access to *
  by dn.exact="cn=EngineeringCopier,ou=Engineering,dc=example,dc=com" none
  by [...everythingelse...]

Excellent, I thought ACLs were restricted to attributes only, not to whole entries.

If it doesn't, you could substitute the "dn.exact" with "peername.ip." Super disgusting, but it'd probably work.

Bind dn option failed because printer doesn't allow to install ca certificates, nor to do ssl/tls without checking server certificates, and autentication is only permitted through encrypted connection, so I had to rely on copier IP.

Thanks !
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

References:
- Re: ldap queries rewriting
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: access control
Next by Date: Active/Active servers
Index(es):
- Chronological
- Thread