BÖSCH Christian wrote:
> On 26 Jan 2016, at 12:23 , Michael Ströder
<michael(a)stroeder.com> wrote:
>
> BÖSCH Christian wrote:
>> i’m using this acl:
>>
>> {0}to filter=(objectclass=person) attrs=Hidden by
group.exact=“cn=group,ou=groups,o=abc.net” none
>>
>> but members of the group can still access the attribute Hidden.
>> with any filter it does not work.
>> if i use a single dn it works.
>>
>> seems to me filters do not work?
>
> ..or there is another ACL applied before reaching this ACL.
no, it’s the first acl entry.
Without seeing the complete configuration one can only guess.
Note that global ACLs in cn=config are also applied.
below is the debug. do you see something suspicious?
I won't debug your ACLs. It's your homework, especially because you're the
only
one who has all the necessary information.
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr
Hidden
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry
"uid=user2,ou=people,o=abc.net", attr "Hidden" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by
"uid=user1,ou=people,o=abc.net", (=0)
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat:
cn=group,ou=groups,o=abc.net
Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry:
"cn=group,ou=groups,o=abc.net"
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop)
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by
read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by
read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!
You have to check why there is read access granted.
Ciao, Michael.