Ron Peterson wrote:
Hi,
(OpenLDAP version 2.4.23)
I have a filter expression in an ACL that is somehow affecting my ability to retrieve specific attributes. What's strange (to me) is that with or without the filter expression in place, I can retrieve all attributes, i.e. the full object.
4986# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email yDirectoryID: c44883ba-ac62-d28c-556f-99ccbf532da7 objectClass: yAccount objectClass: inetOrgPerson uid: rpeterso mail: rpeterso@mtholyoke.edu etc...
But if I specify a particular attribute, then having the filter expression in place somehow inhibits my ability to retrieve the specific attribute(s).
Without filter expression:
4987# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email mail: rpeterso@mtholyoke.edu
With filter expression in place:
4990# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
The ACL in question looks like:
access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * none
I've turned my logging way up, and the hiccup seems to be that the DN I've authenticated as (uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read access to the attributes in the filter expression. But how do I give that account read access to those attributes, without then exposing the objects that I'm trying to hide with the filter expression?
Give it auth access, not read access.