Hi all,
I'm running openldap-2.3.43 on gentoo amd64.
Shouldn't give the following access directive members of ou=People,dc=foo,dc=bar selfread permissions to attrs=member and all others (eg. the bind user cn=ldapbind,ou=dsa,dc=foo,dc=bar) unlimited read permissions?
access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member by dn.children="ou=People,dc=foo,dc=bar" selfread by * read
Selfread works only if i restrict * to none, but that's not what i want. 'by * read' is not what i want at least but it simplifies the example.
access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member by dn.children="ou=People,dc=foo,dc=bar" selfread by * none
It should expand to 'by dn.children="ou=People,dc=foo,dc=bar" selfread stop' but it seems to continue.
What's wrong?
Regards Christian
--On May 13, 2009 4:04:00 PM +0200 Christian Fischer Christian.Fischer@fischundfischer.com wrote:
Hi all,
I'm running openldap-2.3.43 on gentoo amd64.
Shouldn't give the following access directive members of ou=People,dc=foo,dc=bar selfread permissions to attrs=member and all others (eg. the bind user cn=ldapbind,ou=dsa,dc=foo,dc=bar) unlimited read permissions?
What is selfread? I suggest you read the manual page:
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Wednesday 13 May 2009, Christian Fischer wrote:
Hi all,
I'm running openldap-2.3.43 on gentoo amd64.
Shouldn't give the following access directive members of ou=People,dc=foo,dc=bar selfread permissions to attrs=member and all others (eg. the bind user cn=ldapbind,ou=dsa,dc=foo,dc=bar) unlimited read permissions?
access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member by dn.children="ou=People,dc=foo,dc=bar" selfread by * read
Selfread works only if i restrict * to none, but that's not what i want. 'by * read' is not what i want at least but it simplifies the example.
access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member by dn.children="ou=People,dc=foo,dc=bar" selfread by * none
It should expand to 'by dn.children="ou=People,dc=foo,dc=bar" selfread stop' but it seems to continue.
What's wrong?
Regards Christian
I've given selfread one more try.
Seems that it really expands to continue and the 'by * none' clause is mantatory to get it working.
A working directive to grant read access to the member attribute without affecting other members must be (in my case)
access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member by dn.children="ou=dsa,dc=foo,dc=bar" read by dn.children="ou=People,dc=foo,dc=bar" selfread by * none
Well, i think this is a bug because the behavior differs from the one stated in the man pages.
Maybe Quanah likes to file the bug if he has read the manual page.
Is there a simple way to expand this to the memberUid attribute?
Bye Christian
openldap-software@openldap.org