BÖSCH Christian wrote:
On 26 Jan 2016, at 12:23 , Michael Ströder michael@stroeder.com wrote:
BÖSCH Christian wrote:
i’m using this acl:
{0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works.
seems to me filters do not work?
..or there is another ACL applied before reaching this ACL.
no, it’s the first acl entry.
Without seeing the complete configuration one can only guess. Note that global ACLs in cn=config are also applied.
below is the debug. do you see something suspicious?
I won't debug your ACLs. It's your homework, especially because you're the only one who has all the necessary information.
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!
You have to check why there is read access granted.
Ciao, Michael.