[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dn.exact vs dn.base

To: <openldap-technical@openldap.org>
Subject: Re: dn.exact vs dn.base
From: Turbo Fredriksson <turbo@bayour.com>
Date: Thu, 24 May 2012 13:38:35 +0200
User-agent: Binero Webmail/0.5.1

[sorry, should have gone to the list]

On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote:

access to dn.base="ou=system,dc=example,dc=com"
   by dn.exact="uid=userx,ou=people,dc=example,dc=com" write


This gives 'uid=userx,...' access to 'ou=system,...' _and everything
below it_.

access to dn.exact="ou=system,dc=example,dc=com"
   by dn.base="uid=userx,ou=people,dc=example,dc=com" write

While this is the opposite - it gives 'uid=userx,...' and any objectsbelow

this (not much point in this exact example :) to ONLY the base object
'ou=system,...'.

For example:

----- s n i p -----
access to dn.exact=""

attrs=supportedSASLMechanisms,namingContexts,subschemaSubentry,objectClass,monitorContext,configContext,entry

        by domain.subtree="bayour.com" read
        by peername.ip="127\.0\.0\.1" read
        by peername.ip="192\.168\.69\.8" read
        by peername.path="/var/run/slapd/ldapi" read
----- s n i p -----

This gives almost anonymous access to certain attributes to the baseDN...

Follow-Ups:
- Re: dn.exact vs dn.base
  - From: "Patrick H." <openldap@stormcloud9.net>

Prev by Date: dn.exact vs dn.base
Next by Date: Re: dn.exact vs dn.base
Index(es):
- Chronological
- Thread