Ron Peterson wrote: > I'm trying to create an acl which allow a particular use to search my > DIT and retrieve dn values only. Perhaps a (broken) attempt at an acl > will help explain what I mean: > > access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName > by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read > by * break > > access to dn.children="dc=mtholyoke,dc=edu" > by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search > by * break > > I want to use my proxysearchdn user to do the first step of a search and > bind operation, without giving that user any more access to objects than > necessary. > > BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an > error. Correct behaviour, I'm sure, but I'm not sure then how to say > what I mean.
attrs=entry will give access to the pseudo-attribute "entry", which implies access to the entry's DN. That's what is checked when determining if an entry is to be returned by a search operation. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
