2008-03-14_13:02:23-0400 Pierangelo Masarati <[EMAIL PROTECTED]>: > Ron Peterson wrote: > > I'm trying to create an acl which allow a particular use to search my > > DIT and retrieve dn values only. Perhaps a (broken) attempt at an acl > > will help explain what I mean: > > > > access to dn.children="dc=mtholyoke,dc=edu" attrs=distinguishedName > > by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" read > > by * break > > > > access to dn.children="dc=mtholyoke,dc=edu" > > by dn="cn=proxysearchdn,dc=mtholyoke,dc=edu" search > > by * break > > > > I want to use my proxysearchdn user to do the first step of a search and > > bind operation, without giving that user any more access to objects than > > necessary. > > > > BTW, I can indicate attrs=distinguishedName, but attrs=dn gives me an > > error. Correct behaviour, I'm sure, but I'm not sure then how to say > > what I mean. > > attrs=entry will give access to the pseudo-attribute "entry", which > implies access to the entry's DN. That's what is checked when > determining if an entry is to be returned by a search operation.
Ah, perfect. When I replace 'distinguishedName' above w/ 'entry' I get just what I was looking for. Thanks! -- Ron Peterson Network & Systems Manager Mount Holyoke College http://www.mtholyoke.edu/~rpeterso
