[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl to read dn only

To: openldap-software@openldap.org
Subject: acl to read dn only
From: Ron Peterson <rpeterso@mtholyoke.edu>
Date: Fri, 14 Mar 2008 11:36:06 -0400
Content-disposition: inline
Mail-followup-to: openldap-software@openldap.org
Organization: Mount Holyoke College
User-agent: Mutt/1.5.9i

I'm trying to create an acl which allow a particular use to search my
DIT and retrieve dn values only.  Perhaps a (broken) attempt at an acl
will help explain what I mean:

access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName
       by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read
       by * break

access to dn.children="dc=mtholyoke,dc=edu"
       by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search
       by * break

I want to use my proxysearchdn user to do the first step of a search and
bind operation, without giving that user any more access to objects than
necessary.

BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an
error.  Correct behaviour, I'm sure, but I'm not sure then how to say
what I mean.

TIA.

-- 
Ron Peterson
Network & Systems Manager
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso

Follow-Ups:
- Re: acl to read dn only
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: New error (ldap_get_values_len returns NULL)
Next by Date: Re: acl to read dn only
Index(es):
- Chronological
- Thread