A warm "Hello" from germany to the openldap-technical list!
I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server. I need to write an ACL which allows a user to see his own entry (objectClass build up on inetOrgPerson) and nothing else. I know that this isn´t the intended use of the LDAP system, but our manager wants it that way.
I tried it with somekind of that:
access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write by users none
but I just get a message about invalid credentials. Used command was: ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1 with the rootdn account shows the information, but if the uid of the user1 is used for binding it fails.
Has anyone an idea how to realize these restrictions? Additionally not all attributes should get listed to the user, only a few important for him. My idea was to use a ACL like the above to be sure the user only gets access to his object and then add a second ACL below who restricts the access to the important attributes.
Best regards Florian Götz