[please keep replies on the list]
Dan Ciarniello wrote:
# anyone can see the cn of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" attrs=cn by * read
# only users can see anything else of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" by users read
Unfortunately, that doesn't seem to do it. I set the above filters but I still get back all attributes when binding anonymously (using JXplorer). I don't know if it makes a difference but I'm using OpenLDAP 2.2 rather than 2.4.
Well, apart from any consideration strictly related to your issue, you should be using 2.3 (2.4 is not released yet but in alpha, so it's not recommended).
The fact that the above rules do not seem to work sounds odd, as they're known to work as suggested. How can you tell they ever get used? Did you run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log level). My guess is that you have broader ACLs in place that get called before the suggested ones. I suggest you post your entire slapd.conf (after appropriate sanitization for any sensistive info).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------