[please keep replies on the list]
Dan Ciarniello wrote:
# anyone can see the cn of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" attrs=cn by * read
# only users can see anything else of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" by users read
Unfortunately, that doesn't seem to do it. I set the above filters but I still get back all attributes when binding anonymously (using JXplorer). I don't know if it makes a difference but I'm using OpenLDAP 2.2 rather than 2.4.
Well, apart from any consideration strictly related to your issue, you should be using 2.3 (2.4 is not released yet but in alpha, so it's not recommended).
The fact that the above rules do not seem to work sounds odd, as they're known to work as suggested. How can you tell they ever get used? Did you run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log level). My guess is that you have broader ACLs in place that get called before the suggested ones. I suggest you post your entire slapd.conf (after appropriate sanitization for any sensistive info).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
[please keep replies on the list]
Oops. Sorry about that. I just hit Reply to the message not realizing that the reply wasn't going to the list but just to you directly.
Dan Ciarniello wrote:
# anyone can see the cn of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" attrs=cn by * read
# only users can see anything else of inetOrgPersons access to filter="(objectClass=inetOrgPerson)" by users read
Unfortunately, that doesn't seem to do it. I set the above filters but I still get back all attributes when binding anonymously (using JXplorer). I don't know if it makes a difference but I'm using OpenLDAP 2.2 rather than 2.4.
Well, apart from any consideration strictly related to your issue, you should be using 2.3 (2.4 is not released yet but in alpha, so it's not recommended).
I did mean 2.3 rather than 2.4. Unfortunately, circumstances beyond my control dictate that I use 2.2. Upgrading to 2.3 is not an option at the moment.
The fact that the above rules do not seem to work sounds odd, as they're known to work as suggested. How can you tell they ever get used? Did you run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log level). My guess is that you have broader ACLs in place that get called before the suggested ones. I suggest you post your entire slapd.conf (after appropriate sanitization for any sensistive info).
p.
Here are the relevant ACL entries from slapd.conf.
access to attrs=userPassword by group="<groupdn>" write by self write by anonymous auth by * none
access to filter="(objectClass=inetOrgPerson)" attrs=cn by * read
access to filter="(objectClass=inetOrgPerson)" by users read
access to dn.base="dc=cityxpress,dc=com" by group="<groupdn>" write by users read by anonymous read by * none
access to dn.subtree="ou=Administrators,dc=cityxpress,dc=com" by group="<groupdn>" write by self read by anonymous read by * none
access to * by group="<groupdn>" write by users read by anonymous auth by * none
There are other entries in the ACL but they all refer to subtrees other than the Administrator subtree which is the one that I'm interested in. Note that the "Administrators" are of type person/posixAccount/shadowAccount/inetOrgPerson. I tried a filter that combined all object classes but it didn't work either.
I haven't had a chance to add acl debug statements to the log yet.
Thanks, Dan.
Try something along the lines:
# allow everybody to bind, and self to change password access to attrs=userPassword by self write by anonymous auth
# allow everybody searching for objectClass access to filter="(objectClass=inetOrgPerson)" attrs=objectClass by * search
# allow everybody to read the entry and the cn access to filter="(objectClass=inetOrgPerson)" attrs=entry,cn by * read
# allow only users to read the rest of the entry access to filter="(objectClass=inetOrgPerson)" by users read
# allow everybody to search (but not see) everything else access to * by * search
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Try something along the lines:
# allow everybody to bind, and self to change password access to attrs=userPassword by self write by anonymous auth
# allow everybody searching for objectClass access to filter="(objectClass=inetOrgPerson)" attrs=objectClass by * search
# allow everybody to read the entry and the cn access to filter="(objectClass=inetOrgPerson)" attrs=entry,cn by * read
# allow only users to read the rest of the entry access to filter="(objectClass=inetOrgPerson)" by users read
# allow everybody to search (but not see) everything else access to * by * search
p.
That does the trick.
Grazie mille, Dan.
openldap-software@openldap.org
-
Dan Ciarniello -
Pierangelo Masarati