On 8/5/2012 10:56 πμ, Dorit wrote:
I am trying to configure my openldap server to allow a user to read a list of users only if they have the "host" attribute with a specific value, for instance "csa". I am using rhel 6, openldap 2.4.23 server. When I have the following 2 acl's, the user Admin can get the full contents of the 'abc' container:
access to attrs=userPassword by dn="uid=0,dc=aa,dc=bb,dc=cc" write by * auth
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read
When I change the 2nd acl as follows, I get no response at all:
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa) by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read
There are a few records in the abc container which have the attribute host with the 'csa' value. I have tried to give search permission to the entire container and then add the permission of read only to the filter as follows:
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" =cs
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa) by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" +r
but I still don't get my list with ldapsearch. What am I missing here?
Have you given proper search/read rights to the entry attribute? (Quote from the manual: "There are two special pseudo attributes entry and children. To read (and hence return) a target entry, the subject must have read access to the target's entry attribute. To perform a search, the subject must have search access to the search base's entry attribute.")
Regards, Nick