"Kick, Claus" claus.kick@siemens.com writes:
Hello all,
Since there is some time, I figured I rectify our openldap configuration and use proper ACLs.
We are using the following version on Solaris 10:
[...]
Our user subtree is organized as shown below:
o=suffix
ou=people,o=suffix
uid=kdz,ou=people,o=suffix
uid=hyc,ou=people,o=suffix
ou=removed_accounts,ou=people,o=suffix
uid=abcd,ou=removed_accounts,ou=people,o=suffix
uid=efgh,ou=removed_accounts,ou=people,o=suffix
Basically, I want a getent passwd not to list entries below ou=removed_accounts,ou=people,o=suffix, for a client application still considers the removed accounts as users (it probably searches the whole subtree).
I read the documentation for 2.3:
http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control http://www.openldap.org/doc/admin23/slapdconfig.html
And found this:
The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN).
So, I figured that an ACL (no global ACLs any longer) like this
access to dn.one="ou=People,o=suffix" by * write
Should hide the removed accounts and only show the active ones.
But it does not, it still contains all the children of
ou=removed_accounts,ou=people,o=suffix
And of
ou=people,o=suffix
Using dn.base="ou=People,o=suffix" by * write Where am I making a mistake?
access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none access to dn.one=ou=people,o=suffix by * write
-Dieter