[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl to read dn only



I'm trying to create an acl which allow a particular use to search my
DIT and retrieve dn values only.  Perhaps a (broken) attempt at an acl
will help explain what I mean:

access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName
       by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read
       by * break

access to dn.children="dc=mtholyoke,dc=edu"
       by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search
       by * break

I want to use my proxysearchdn user to do the first step of a search and
bind operation, without giving that user any more access to objects than
necessary.

BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an
error.  Correct behaviour, I'm sure, but I'm not sure then how to say
what I mean.

TIA.

-- 
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso