I have now tried adding another acl in the middle as follows:

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" attrs="entry"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" search

This does not change anything.
As far as I understand, the
attrs="entry"
is implicit.

Thanks,
Dorit.

On 5/8/2012 11:49 AM, Nick Milas wrote:
On 8/5/2012 10:56 πμ, Dorit wrote:


I am trying to configure my openldap server to allow a user to read a list of users only if they have the "host" attribute with a specific value, for instance "csa". I am using rhel 6, openldap 2.4.23 server. When I have the following 2 acl's, the user Admin can get the full contents of the 'abc' container:

access to attrs=userPassword
by dn="uid=0,dc=aa,dc=bb,dc=cc" write
by * auth

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read

When I change the 2nd acl as follows, I get no response at all:

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read

There are a few records in the abc container which have the attribute host with the 'csa' value. I have tried to give search permission to the entire container and then add the permission of read only to the filter as follows:

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" =cs

access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" +r

but I still don't get my list with ldapsearch. What am I missing here?


Have you given proper search/read rights to the entry attribute? (Quote from the manual: "There are two special pseudo attributes entry and children. To read (and hence return) a target entry, the subject must have read access to the target's entry attribute. To perform a search, the subject must have search access to the search base's entry attribute.")

Regards,
Nick