>mheinric(a)imn.htwk-leipzig.de wrote:
> Hi
>
> im trying to get an openldap server (2.3.) running with acl restricting access to
special attributes
>
> tb_READ should be allowed to search in the ou people but must not read any attributes
then telephoneNumber, cn, sn, uid...
>
> so i added this access rule to my slapd.conf :
>
> access to dn.subtree="ou=people,dc=example,dc=com"
attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
> by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
If you don't allow access to the "entry" attribute somewhere else,
that's why it >doesn't work:
(Quoting Adminguide23, 6.3.1)
"To read (and hence return) a target entry, the subject must have read access to
>the target's entry attribute."
bye
Christian
--
Christian Marg mail : mailto:marg@rz.tu-clausthal.de
Dezernat 2 TU Clausthal web :
http://www.tu-clausthal.de
D-38678 Clausthal-Zellerfeld fon : 05323/72-2107
Germany jabber: ifcma(a)jabber.tu-clausthal.de
thanks,
i added "entry" and "objectClass" to the "attrs" and
searching works fine too
___________________________________
NOCC,