Am Wed, 16 Feb 2011 08:37:24 -0800 schrieb Troy Knabe <[email protected]>:
> I didn't get any responses, so I am asking again. Did I not phrase > my question correctly, or am I missing something? > > Thanks! > -Troy > > > On Feb 15, 2011, at 8:40 AM, Troy Knabe wrote: > > > I am attempting to be very granular in the access that I give to my > > directory, but I seem to be struggling with the implementation. > > > > I have several proxy accounts that I want to grant the access to > > that they need, no more, no less. But I seem to have to put a line > > in like: > > > > access to dn.children="dc=company,dc=com" by * read in order to > > authenticate. What I thought I wanted was something like this: > > > > access to attrs=userPassword > > by dn.exact=proxy,dc=company,dc=com write > > by self write > > by anonymous auth > > > > But without read access above, it does not work. How can I allow > > proxy users/groups access w/out granting read access to everyone? > > Or does the dn.children allow read access to all attributes? You need access to the root entry pseudo attributes entry and children, something like access to dn.children=dc=company,dc=com by users read by * auth access to dn.base=dc=company,dc=com attrs=entry,children by * auth -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
