thr3ads.net - Fedora directory users - [Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch [Jun 2007]

If this information is useful, please help other people find it:
Share via:

Sascha Wilde

2007-Jun-06 14:36 UTC

[Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch

Hi *,

I''m having a directory with an basedn:
  dc=foo, dc=bar
containing an "sub directory" named "internal":
  cn=internal, dc=foo, dc=bar

Now I want to hide "internal" and its children from most users, with
exception of the members of some administrative groups, so I added an
ACI to "internal" like this:

(targetattr = "*") (version 3.0;acl "hide internal";
deny (read,write,delete,add)
(groupdn != "ldap:///cn=admin,cn=internal,dc=foo,dc=bar" and 
 groupdn != "ldap:///cn=configuration administrators,ou=groups,
             ou=topologymanagement,o=netscaperoot");)

Now I have a user cn=manager,cn=internal,dc=foo,dc=bar who is member
of the group cn=admin,cn=internal,dc=foo,dc=bar and should be allowed
to access "internal" and its children.

But this doesn''t work: I can''t even bind as
cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an
child of "internal", and so anonymous isn''t allowed to access
the
object for authentication.

How can I achieve that it is possible to bind as a user in the hidden
sub directory without making it world readable?

cheers
sascha
-- 
Sascha Wilde                                      OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück             http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Sascha Wilde

2007-Jun-08 07:52 UTC

head link

Re: [Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch

Sascha Wilde <wilde@intevation.de> writes:
[...]> But this doesn''t work: I can''t even bind as
> cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an
> child of "internal", and so anonymous isn''t allowed to
access the
> object for authentication.
For the records: my analysis of the problem was wrong.  It _is_
possible to bind as an object which is not world readable.  My
problems were caused by an specific client, so this is an non issue.

Sorry for the noise.
sascha
-- 
Sascha Wilde                                      OpenPGP key: 4BB86568
Intevation GmbH, Osnabrück             http://www.intevation.de/~wilde/
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

Fedora directory users - Jun 2007 - ACI trouble: binding as a UID in an "hidden" branch

[Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch

Re: [Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch