Re: ACL Issues

[Dieter Kluenter <dieter@dkluenter.de>]

Am Thu, 17 Feb 2011 07:46:24 -0800
schrieb Troy Knabe <knabe@4j.lane.edu>:

> 
> On Feb 17, 2011, at 3:09 AM, Dieter Kluenter wrote:
> 
> > Am Wed, 16 Feb 2011 08:37:24 -0800
> > schrieb Troy Knabe <knabe@4j.lane.edu>:
> > 
> >> I didn't get any responses, so I am asking again.   Did I not
> >> phrase my question correctly, or am I missing something?
> >> 
> >> Thanks!
> >> -Troy
> >> 
> >> 
> >> On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote:
> >> 
> >>> I am attempting to be very granular in the access that I give to
> >>> my directory, but I seem to be struggling with the implementation.
> >>> 
> >>> I have several proxy accounts that I want to grant the access to
> >>> that they need, no more, no less.  But I seem to have to put a
> >>> line in like:
> >>> 
> >>> access to dn.children="dc=company,dc=com" by * read in order to
> >>> authenticate.  What I thought I wanted was something like this:
> >>> 
> >>> access to attrs=userPassword
> >>> 	by dn.exact=proxy,dc=company,dc=com write
> >>> 	by self write
> >>> 	by anonymous auth
> >>> 
> >>> But without read access above, it does not work.  How can I allow
> >>> proxy users/groups access w/out granting read access to everyone?
> >>> Or does the dn.children allow read access to all attributes?
> > 
> > You need access to the root entry pseudo attributes entry and
> > children, something like
> > 
> > access to dn.children=dc=company,dc=com by users read by * auth
> > access to dn.base=dc=company,dc=com attrs=entry,children by * auth
> 
> That is what I thought, I just wasn't sure how to resolve it.  Thank
> you for the answers.  So now I should be able to give specific access
> to specific attributes for users/groups, correct?

Yes, but you should test this rules, slapd -dacl or -d384 is your
friend.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E