Pierangelo Masarati wrote:
[please keep replies on the list]
Oops. Sorry about that. I just hit Reply to the message not realizing that the reply wasn't going to the list but just to you directly.
Dan Ciarniello wrote:
# anyone can see the cn of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" attrs=cn by * read
# only users can see anything else of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" by users read
Unfortunately, that doesn't seem to do it. I set the above filters but I still get back all attributes when binding anonymously (using JXplorer). I don't know if it makes a difference but I'm using OpenLDAP 2.2 rather than 2.4.
Well, apart from any consideration strictly related to your issue, you should be using 2.3 (2.4 is not released yet but in alpha, so it's not recommended).
I did mean 2.3 rather than 2.4. Unfortunately, circumstances beyond my control dictate that I use 2.2. Upgrading to 2.3 is not an option at the moment.
The fact that the above rules do not seem to work sounds odd, as they're known to work as suggested. How can you tell they ever get used? Did you run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log level). My guess is that you have broader ACLs in place that get called before the suggested ones. I suggest you post your entire slapd.conf (after appropriate sanitization for any sensistive info).
p.
Here are the relevant ACL entries from slapd.conf.
access to attrs=userPassword by group="<groupdn>" write by self write by anonymous auth by * none
access to filter="(objectClass=inetOrgPerson)" attrs=cn by * read
access to filter="(objectClass=inetOrgPerson)" by users read
access to dn.base="dc=cityxpress,dc=com" by group="<groupdn>" write by users read by anonymous read by * none
access to dn.subtree="ou=Administrators,dc=cityxpress,dc=com" by group="<groupdn>" write by self read by anonymous read by * none
access to * by group="<groupdn>" write by users read by anonymous auth by * none
There are other entries in the ACL but they all refer to subtrees other than the Administrator subtree which is the one that I'm interested in. Note that the "Administrators" are of type person/posixAccount/shadowAccount/inetOrgPerson. I tried a filter that combined all object classes but it didn't work either.
I haven't had a chance to add acl debug statements to the log yet.
Thanks, Dan.