Hi, 2010/1/11 Johannes Woerner <jkwoerner@xxxxxxxxxxxxxx>: > Hi, > > I'm evaluating the migrating of an openldap installation to > 389 directory server (ca 1200 user objects). > With openldap I can restrict client authentication to ssl/tls ldap > connections and > in parallel allow anonymous (unencrypted) access to items like phone number etc. > (slapd.conf with: "security simple_bind=56") > > Is there a way you can do this with 389 directory server? Yes. By using ACIs and the features described here : http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-_October_7.2C_2009 An example of an ACI for unauthentified anonymous access (userdn = "ldap:///anyone") : aci: (targetattr = "objectClass || sn || givenName || uid || cn || displayName || title || mail || ou || departmentNumber || telephoneNumber || facsimileTelephoneNumber || physicalDeliveryOfficeName ") (version 3.0;acl "Enable anonymous read access";allow (read,compare,search)(userdn = "ldap:///anyone") and (ip="127.0.0.1" or ip="10.1.*" or ip="172.16.*" or ip="192.168.*" ");) More about ACIs : http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Access_Control.html @+ -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users