Re: ACL problem, restrict access to several attributes

11 Jan 2008


      mheinric@imn.htwk-leipzig.de wrote:
...
Hi
im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
   by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
If you don't allow access to the "entry" attribute somewhere else, 
that's why it doesn't work:
(Quoting Adminguide23, 6.3.1)
"To read (and hence return) a target entry, the subject must have read 
access to the target's entry attribute."
bye
Christian
-- 
Christian Marg                    mail  : mailto:marg@rz.tu-clausthal.de
Dezernat 2 TU Clausthal           web   : http://www.tu-clausthal.de
D-38678 Clausthal-Zellerfeld      fon   : 05323/72-2107
Germany                           jabber: ifcma@jabber.tu-clausthal.de

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: ACL problem, restrict access to several attributes