Hi
im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
..
access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
..
after restarting slapd I checked the result of ldapsearch but it returns nothing :
ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b "ou=people,dc=example,dc=com" -W
# extended LDIF # # LDAPv3 # base <ou=people,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 3 result: 0 Success
accessing the attributes by ldapcompare works fine :
ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W "uid=kheine,ou=people,dc=example,dc=com" telephoneNumber:1234
returns TRUE
so the rule seems to work for comparing, but not for searching entries in ou=people
i searched in the archives for more examples of using "attrs" and "dn.subtree", but found only configs where it seems to work this way
the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so i can not find the reason why my configuration is not working.
Please help me finding an approach to solve this problem, thanks for every advice
___________________________________ NOCC, http://nocc.sourceforge.net
mheinric@imn.htwk-leipzig.de wrote:
Hi
im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
..
access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
..
after restarting slapd I checked the result of ldapsearch but it returns nothing :
ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b "ou=people,dc=example,dc=com" -W
# extended LDIF # # LDAPv3 # base <ou=people,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 3 result: 0 Success
accessing the attributes by ldapcompare works fine :
ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W "uid=kheine,ou=people,dc=example,dc=com" telephoneNumber:1234
returns TRUE
so the rule seems to work for comparing, but not for searching entries in ou=people
i searched in the archives for more examples of using "attrs" and "dn.subtree", but found only configs where it seems to work this way
the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so i can not find the reason why my configuration is not working.
Please help me finding an approach to solve this problem, thanks for every advice
What other acls do you have above or below this. Please provide as much of the configuration as possible to create a bigger picture.
mheinric@imn.htwk-leipzig.de wrote:
Hi
im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
If you don't allow access to the "entry" attribute somewhere else, that's why it doesn't work:
(Quoting Adminguide23, 6.3.1) "To read (and hence return) a target entry, the subject must have read access to the target's entry attribute."
bye Christian
Hi,
mheinric@imn.htwk-leipzig.de writes:
Hi
im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read after restarting slapd I checked the result of ldapsearch but it returns nothing
debug level 128 (ACL) may give some hints.
-Dieter
openldap-software@openldap.org
-
Christian Marg -
Dieter Kluenter -
Gavin Henry -
mheinric@imn.htwk-leipzig.de