Sascha Wilde
2007-Jun-06 14:36 UTC
[Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch
Hi *, I''m having a directory with an basedn: dc=foo, dc=bar containing an "sub directory" named "internal": cn=internal, dc=foo, dc=bar Now I want to hide "internal" and its children from most users, with exception of the members of some administrative groups, so I added an ACI to "internal" like this: (targetattr = "*") (version 3.0;acl "hide internal"; deny (read,write,delete,add) (groupdn != "ldap:///cn=admin,cn=internal,dc=foo,dc=bar" and groupdn != "ldap:///cn=configuration administrators,ou=groups, ou=topologymanagement,o=netscaperoot");) Now I have a user cn=manager,cn=internal,dc=foo,dc=bar who is member of the group cn=admin,cn=internal,dc=foo,dc=bar and should be allowed to access "internal" and its children. But this doesn''t work: I can''t even bind as cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an child of "internal", and so anonymous isn''t allowed to access the object for authentication. How can I achieve that it is possible to bind as a user in the hidden sub directory without making it world readable? cheers sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/ Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Sascha Wilde
2007-Jun-08 07:52 UTC
Re: [Fedora-directory-users] ACI trouble: binding as a UID in an "hidden" branch
Sascha Wilde <wilde@intevation.de> writes: [...]> But this doesn''t work: I can''t even bind as > cn=manager,cn=internal,dc=foo,dc=bar I suppose because the user is an > child of "internal", and so anonymous isn''t allowed to access the > object for authentication.For the records: my analysis of the problem was wrong. It _is_ possible to bind as an object which is not world readable. My problems were caused by an specific client, so this is an non issue. Sorry for the noise. sascha -- Sascha Wilde OpenPGP key: 4BB86568 Intevation GmbH, Osnabrück http://www.intevation.de/~wilde/ Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner