mheinric(a)imn.htwk-leipzig.de wrote:
Hi
im trying to get an openldap server (2.3.) running with acl restricting access to special
attributes
tb_READ should be allowed to search in the ou people but must not read any attributes
then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
..
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
..
after restarting slapd I checked the result of ldapsearch but it returns nothing :
ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b
"ou=people,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 0 Success
accessing the attributes by ldapcompare works fine :
ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W
"uid=kheine,ou=people,dc=example,dc=com" telephoneNumber:1234
returns TRUE
so the rule seems to work for comparing, but not for searching entries in ou=people
i searched in the archives for more examples of using "attrs" and
"dn.subtree", but found only configs where it seems to work this way
the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so
i can not find the reason why my configuration is not working.
Please help me finding an approach to solve this problem, thanks for every advice
What other acls do you have above or below this. Please provide as much
of the configuration as possible to create a bigger picture.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/