question on usage of Proxy Authorization rights
Hi,
I have never used Proxy authorization rights. I have a question related to the Proxy Authorization rights. I have gone through the docs to understand how to use Proxy Authorization ACIs. But I have some doubt on its usage.
Lets say I have two special entries
cn=SP1,ou=admin,dc=foo,dc=com and cn=SP2,ou=admin,dc=foo,dc=com
Each of these entries have different special access rights through ACIs to access different set of attributes say
"cn=SP1,ou=admin,dc=foo,dc=com" canREAD/SEARCH toattribute1 andattribute2 under branchou=people,dc=foo,dc=com
"cn=SP2,ou=admin,dc=foo,dc=com" canWRITE toattribute1 andattribute2 under branchou=people,dc=foo,dc=com
I have another entry:
cn=U1,ou=people,dc=foo,dc=com
As per my understanding if I need the entry"cn=U1,ou=people,dc=foo,dc=com" toREAD/SEARCHattribute1 andattribute2 through proxy control I would have to write the following ACI:
(target="ldap:///ou=people,dc=foo,dc=com")
(targerattr="attribute1 || attribute2") (version 3.0 acl "allow proxy access";
allow (proxy) userdn="ldap:///cn=U1,ou=people,dc=foo,dc=com";)
I think the entry "cn=U1,ou=people,dc=foo,dc=com" can also use the rights of "cn=SP2,ou=admin,dc=foo,dc=com" to perform WRITE operation on "attribute1 and attribute2" using
Proxy Authorization control by passing "cn=SP2,ou=admin,dc=foo,dc=com" as proxyid.
If this is correct then can anyone help how to allow only READ/SEARCH access to the attribute1 and attribute2 using Proxy Authorization rights.
Regards
Randip Malakar
