Hi,
I am implementing a directory with OPENLdap and I woul dlike that anonymous users could only read ceratin attributes, while all other attributes are accessible to authenticated users only.
# ACL 1: Data that the user can change and that the world can see access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" attrs=sn,givenName by group="cn=groupadmin..." write by self write by * read
# ACL 2: Personnal data, that user can change and the world can not see access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" attrs=gecos,description by group="cn=groupadmin..." write by self write by * none
# ACL 3: any attributes that is not explcitely allowed above is denied access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" by group="cn=groupadmin..." write by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read by * none
But this is not working. If I do like this, anonymous search will see nothing from the user.
I found out some where that the attribute objectClass should always be exposed, so I tried to add it in the ACL 1, but that is not working either, I must haave a last ACL of the form
access to dn.one="ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th" by group="cn=groupadmin..." write by dn.subtree="ou=csim,dc=cs,dc=ait,dc=ac,dc=th" read by * read
and I don't see where my reasoning is getting wrong.
Thanks in advance,
Olivier