Hi Quanah, 

Let me explain in detail. 

Now I can search the entire OU and contextCSN as below . I am searching with bind dn. 

++
olcAccess: {1}to dn.subtree="dc=ldapprod,dc=com" by dn="cn=a
 dmin,dc=ldapprod,dc=com" write by dn="uid=authuser,
 dc=ldapprod,dc=com" write by dn="uid=repluser,
 dc=ldapprod,dc=com" read by dn="uid=replmonitor,
 dc=ldapprod,dc=com" read by * none
++


 ldapsearch -x -H ldaps://IP address -D "uid=replmonitor,dc=ldapprod,dc=com" -W  -b "dc=ldapprod,dc=com" contextCSN

+++++
# ldapprod.com
dn: dc=ldapprod,dc=com
contextCSN: 20200212065804.242207Z#000000#000#000000
contextCSN: 20200213163933.076777Z#000000#001#000000

# admin, ldapprod.com
dn: cn=admin,dc=ldapprod,dc=com

# group, ldapprod.com
dn: ou=group,dc=ldapprod,dc=com

# people, ldapprod.com
dn: ou=people,dc=ldapprod,dc=com

# repluser, ldapprod.com
dn: uid=repluser,dc=ldapprod,dc=com

# authuser, ldapprod.com
dn: uid=authuser,dc=ldapprod,dc=com

# monitor, ldapprod.com
dn: cn=monitor,dc=ldapprod,dc=com

# replmonitor, ldapprod.com
dn: uid=replmonitor,dc=ldapprod,dc=com
+++++

Now replmonitor, got full access like admin where it can do all operation like cn=admin user. Now I want to restrict the user replmonitor only it can search and query contextcsn attr not any other dn. 

How can i achieve this?.

Kindly guide me. 


On Sun, 16 Feb 2020 at 01:22, Quanah Gibson-Mount <quanah@symas.com> wrote:


--On Saturday, February 15, 2020 9:21 PM +0530 keerthi krishnan
<keerthikrishnan1369@gmail.com> wrote:

> Hi Quanah, 

> Now the user replmonitor has admin privilege, where it can list all cn
> ,. I have tried adding attrs=contextcsn , but no luck. Could you please
> guide me, how can i restrict this. 

contextcsn is an internally managed operational attribute, which means you
need to explicilty request it as a part of your search operation, or
request that all operational attrs be returned.  How are you testing
whether or not the bind DN has the ability to read the attribute?

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>