im trying to get an openldap server (2.3.) running with acl restricting access to special
tb_READ should be allowed to search in the ou people but must not read any attributes
then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
access to dn.subtree="ou=people,dc=example,dc=com"
by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
after restarting slapd I checked the result of ldapsearch but it returns nothing :
ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b
# extended LDIF
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# search result
result: 0 Success
accessing the attributes by ldapcompare works fine :
ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W
so the rule seems to work for comparing, but not for searching entries in ou=people
i searched in the archives for more examples of using "attrs" and
"dn.subtree", but found only configs where it seems to work this way
the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so
i can not find the reason why my configuration is not working.
Please help me finding an approach to solve this problem, thanks for every advice
What other acls do you have above or below this. Please provide as much
of the configuration as possible to create a bigger picture.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).