Re: Urgent: New User with context CSN permission

Hi Quanah,

Let me explain in detail.

Now I can search the entire OU and contextCSN as below . I am searching with bind dn.

++ olcAccess: {1}to dn.subtree="dc=ldapprod,dc=com" by dn="cn=a dmin,dc=ldapprod,dc=com" write by dn="uid=authuser, dc=ldapprod,dc=com" write by dn="uid=repluser, dc=ldapprod,dc=com" read by dn="uid=replmonitor, dc=ldapprod,dc=com" read by * none ++

ldapsearch -x -H ldaps://IP address -D "uid=replmonitor,dc=ldapprod,dc=com" -W -b "dc=ldapprod,dc=com" contextCSN

+++++ # ldapprod.com dn: dc=ldapprod,dc=com contextCSN: 20200212065804.242207Z#000000#000#000000 contextCSN: 20200213163933.076777Z#000000#001#000000

# admin, ldapprod.com dn: cn=admin,dc=ldapprod,dc=com

# group, ldapprod.com dn: ou=group,dc=ldapprod,dc=com

# people, ldapprod.com dn: ou=people,dc=ldapprod,dc=com

# repluser, ldapprod.com dn: uid=repluser,dc=ldapprod,dc=com

# authuser, ldapprod.com dn: uid=authuser,dc=ldapprod,dc=com

# monitor, ldapprod.com dn: cn=monitor,dc=ldapprod,dc=com

# replmonitor, ldapprod.com dn: uid=replmonitor,dc=ldapprod,dc=com +++++

Now replmonitor, got full access like admin where it can do all operation like cn=admin user. Now I want to restrict the user replmonitor only it can search and query contextcsn attr not any other dn.

How can i achieve this?.

Kindly guide me.

On Sun, 16 Feb 2020 at 01:22, Quanah Gibson-Mount quanah@symas.com wrote:

--On Saturday, February 15, 2020 9:21 PM +0530 keerthi krishnan keerthikrishnan1369@gmail.com wrote:

...

Hi Quanah,

...

Now the user replmonitor has admin privilege, where it can list all cn ,. I have tried adding attrs=contextcsn , but no luck. Could you please guide me, how can i restrict this.

contextcsn is an internally managed operational attribute, which means you need to explicilty request it as a part of your search operation, or request that all operational attrs be returned. How are you testing whether or not the bind DN has the ability to read the attribute?

Regards, Quanah

--

Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com