[389-users] ACI and authenticating clients/servers

Tue Sep 18 09:10:41 UTC 2012

You can create ACI on ou=Groups,dc=domain,dc=com. This ACI can deny search,
compare, read of ou=Sales. All ldap clients included in target of this ACI
will not see your sales OU. This can be targeted to some users and
annonymous bind. Pls look in red hat docs: red hat directory server admin
guide.

I'm writing from my phone and it it hard to type complex structues. Later
if no one else will help and you will not succed on your own. I will
provide example ACI.

Greg.
18 wrz 2012 09:47, "Matti Alho" <listat at alho.fi> napisał(a):

> Hi,
>
> First big thanks for all people developing and maintaining 389ds! I've
> been learning LDAP for a while and one question which I haven't been able
> to figure out.
>
> There are bunch of Debian servers authenticating against 389ds. I started
> with anonymous bind to get the basic setup working. Now I would like to
> limit access to 389ds. What is the best/recommended way to achieve this? I
> have stuff under ou=Groups,dc=domain,dc=com (e.g.
> ou=Sales,ou=Groups,dc=domain,**dc=com) which I don't want to be visible
> for clients/servers.
>
> * Create an entry under people ou=People,dc=domain,dc=com and use that for
> credentials on all servers? Create an ACI based on this?
> * Create e.g. ou=Servers,dc=domain,dc=com, put an entry there for each
> server separately and create an ACI based on this?
>
> Thanks for answering my probably simple question!
>
> Mr. Matti Alho
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.**org <389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20120918/3dc0f03b/attachment.html>