[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acls and restricting permissions
On Wed, Dec 3, 2008 at 12:30 AM, Andrew Findlay
<andrew.findlay@skills-1st.co.uk> wrote:
> You could split the rule into two clauses:
>
> access to attr=c,o,ou,cn,sn,givenName,mail,entry
> by dn.exact=cn=limited,dc=example,dc=com read
> by * break
>
> access to *
> by dn.exact=cn=limited,dc=example,dc=com none
> by * break
Thanks for your assistance andrew, this approach seems to be working well.
I needed to add more attributes, but primarily only to make my ldap
browser happy, allow syncrepl, and some handy informational attributes
for the carbon based lifeforms who maintain the data.
Cheers
Brett
For posterity, and google, the final config came out as:
# allow replicator to read all
access to *
by dn.exact="cn=replicator,dc=example,dc=com" read
by * break
# restrcted set of non-operational attributes
access to attr=c,o,ou,cn,sn,givenName,mail,entry
by dn.exact="cn=limited,dc=example,dc=com" read
by * break
# for browsing / syncrepl
access to attr=objectClass,hasSubordinates,entryDN,entryCSN,entryUUID
by dn.exact="cn=limited,dc=example,dc=com" read
by * break
# modify/create information
access to attr=createTimeStamp,modifyTimestamp,creatorsName,modifiersName
by dn.exact="cn=limited,dc=example,dc=com" read
by * break
# disallow other access by limited user
access to *
by dn.exact="cn=limited,dc=example,dc=com" none
by * break
# default rules
access to *
by self write
by * read