Re: (ITS#6479) olcAccess filter does not work - openldap-bugs

20 Feb 2010


      ...
...
olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=*)
attrs=cn,email,entry,objectClass,uid by * read
works ok, changing the olcAccess filter to e.g. person
olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=person)
attrs=cn,email,entry,objectClass,uid by * read
gives no results
Given that this is specifically tested by test006, and this test routinely
passes, and considering how incomplete your report is, I recommend you
provide a means to easily reproduce the issue (e.g. detailed slapd.conf,
LDIF data and details about the unsuccessful operation) in order to have
this issue report processed further.
p.
Hello p.,
so, if I got you right, this 'test006' states, that this must be a
configuration error and I better move on to the support Mailinglist
or somewhere else.
If this should not be the case, here's what i've got:
There's no slapd.conf, it's empty
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig  
objectClass: olcHdbConfig       
olcDatabase: {1}hdb             
olcDbDirectory: /var/lib/ldap   
olcSuffix: dc=site              
olcRootDN: cn=admin,dc=site     
olcRootPW: xxxxxxxxxxxxxxxx
olcDbCacheSize: 10000                                
olcDbCheckpoint: 1024 5                              
olcDbIDLcacheSize: 30000                             
olcDbIndex: objectclass eq                           
olcDbIndex: uidNumber eq                             
olcDbIndex: gidNumber eq                             
olcDbIndex: member eq
olcDbIndex: memberUid eq
olcDbIndex: mail eq
olcDbIndex: cn eq,sub
olcDbIndex: displayName eq,sub
olcDbIndex: uid eq,sub
olcDbIndex: sn eq,sub
olcDbIndex: givenName eq,sub
olcAccess: {0}to attrs=userPassword by self write by * auth
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to attrs=userPKCS12 by self read by * none
olcAccess: {3}to dn.subtree="dc=site" filter=(objectclass=inetOrgPerson) attrs
 =cn,email,entry,objectClass,uid by * read
olcAccess: {4}to * by * none
I've only access to the test system now, so the dc and objectclass is different.
Here is the only user:
# test, people, site
dn: uid=test,ou=people,dc=site
cn: test test
gidNumber: 100
givenName: test
homeDirectory: /home/test
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: test
uid: test
uidNumber: 1001
If I do an ldapsearch -x -b ou=people,dc=site or as test User
there are no results.
What I want to achieve is Anonymous and User read access only to
inetOrgPerson Entries and special attributes, nothing else. No groupOfNames or device Entries in the subtree.
Regards
Hellweiss
-- 
NEU: Mit GMX DSL über 1000,- ¿ sparen!
http://portal.gmx.net/de/go/dsl02