On Thu, Dec 04, 2008 at 12:57:13PM +1000, Brett @Google wrote: > I needed to add more attributes, but primarily only to make my ldap > browser happy, allow syncrepl, and some handy informational attributes > for the carbon based lifeforms who maintain the data.
> # allow replicator to read all > access to * > by dn.exact="cn=replicator,dc=example,dc=com" read > by * break That should be enough for syncreply (assuming you remove the time and size limits as Gavin pointed out). No rules below this will apply to the replicator user. > # restrcted set of non-operational attributes > access to attr=c,o,ou,cn,sn,givenName,mail,entry > by dn.exact="cn=limited,dc=example,dc=com" read > by * break > > # for browsing / syncrepl > access to attr=objectClass,hasSubordinates,entryDN,entryCSN,entryUUID > by dn.exact="cn=limited,dc=example,dc=com" read > by * break objectclass would certainly be needed by most LDAP browsers. The others may not be relevant unless you are running a replica whose content is defined by the ACLs that apply to "cn=limited,dc=example,dc=com" Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
