Re: acls and restricting permissions

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Thu, Dec 04, 2008 at 12:57:13PM +1000, Brett @Google wrote:

> I needed to add more attributes, but primarily only to make my ldap
> browser happy, allow syncrepl, and some handy informational attributes
> for the carbon based lifeforms who maintain the data.

> # allow replicator to read all
> access to *
>     by dn.exact="cn=replicator,dc=example,dc=com" read
>     by * break

That should be enough for syncreply (assuming you remove the time and
size limits as Gavin pointed out). No rules below this will apply to
the replicator user.

> # restrcted set of non-operational attributes
> access to attr=c,o,ou,cn,sn,givenName,mail,entry
>     by dn.exact="cn=limited,dc=example,dc=com" read
>     by * break
> 
> # for browsing / syncrepl
> access to attr=objectClass,hasSubordinates,entryDN,entryCSN,entryUUID
>     by dn.exact="cn=limited,dc=example,dc=com" read
>     by * break

objectclass would certainly be needed by most LDAP browsers. The
others may not be relevant unless you are running a replica whose
content is defined by the ACLs that apply to
"cn=limited,dc=example,dc=com"

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------