You can create ACI on ou=Groups,dc=domain,dc=com. This ACI can deny search, compare, read of ou=Sales. All ldap clients included in target of this ACI will not see your sales OU. This can be targeted to some users and annonymous bind. Pls look in red hat docs: red hat directory server admin guide.
I'm writing from my phone and it it hard to type complex structues. Later if no one else will help and you will not succed on your own. I will provide example ACI.
Greg.
18 wrz 2012 09:47, "Matti Alho" <listat@xxxxxxx> napisał(a):
Hi,
First big thanks for all people developing and maintaining 389ds! I've been learning LDAP for a while and one question which I haven't been able to figure out.
There are bunch of Debian servers authenticating against 389ds. I started with anonymous bind to get the basic setup working. Now I would like to limit access to 389ds. What is the best/recommended way to achieve this? I have stuff under ou=Groups,dc=domain,dc=com (e.g. ou=Sales,ou=Groups,dc=domain,dc=com) which I don't want to be visible for clients/servers.
* Create an entry under people ou=People,dc=domain,dc=com and use that for credentials on all servers? Create an ACI based on this?
* Create e.g. ou=Servers,dc=domain,dc=com, put an entry there for each server separately and create an ACI based on this?
Thanks for answering my probably simple question!
Mr. Matti Alho
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
