Hi!
A related interesting question: Are the ACL permissions for attributes needed to do the actual matching of entries, or are they only used to add the attributes of the matched entries to the result set? I was wondering what "entry" actually is, and I imagine if LDAP search could return the count of matching entries only (i.e. no attributes at all), that could be relevant....
Regards, Ulrich
Michael Ströder michael@stroeder.com schrieb am 23.10.2018 um 12:07 in
Nachricht 155dbd7d-c3f4-fe5e-601e-c2e3d14d0805@stroeder.com:
On 10/23/18 11:47 AM, Philip Colmer wrote:
I'm trying to use the following search filter:
(&(objectClass=organizationalPerson)(!(ou:dn:=external-community)) (memberOf=cn=users,ou=mailing,ou=groups,dc=linaro,dc=org))> If I use an admin account, the search works. If I use a restricted account, the search doesn't work.
Summary: You have to grant search privilege to all attributes used in the filter and read access to pseudo-attribute 'entry' and all other attributes to be returned in search results.
The restricted account is only allowed to retrieve a subset of attributes, e.g.:
add: olcAccess olcAccess: to dn.children="dc=linaro,dc=org" filter=(objectClass=organizationalUnit)
attrs=entry,description,organizationalStatus,mail,jpegPhoto,@organizationalUn
it
by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
add: olcAccess olcAccess: to dn.children="dc=linaro,dc=org" filter=(objectClass=inetOrgPerson)
attrs=businessCategory,jpegPhoto,labeledURI,roomNumber,modifyTimestamp,employ
eeNumber,memberOf
by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
Attribute 'entry' is missing here?
Ciao, Michael.