If I have this acl: to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
I can access with this ldap search: ldapsearch -LLL -W -s sub -b "sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaa aa,dc=local" -D "uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=local" -H ldaps://ldap.local sendmailMTAKey
If I change the acl to to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" attrs="sendmailMTAKey" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
The ldapsearch is not returning any object. How to resolve this?
I had to add objectClass to Dan's example to get this to work. Not sure if this is the correct approach though.
access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read by * break
[1] https://www.openldap.org/faq/data/cache/429.html
-----Original Message----- To: openldap-technical Subject: Acl attribute access
If I have this acl: to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
I can access with this ldap search: ldapsearch -LLL -W -s sub -b "sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaa aa,dc=local" -D "uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=local" -H ldaps://ldap.local sendmailMTAKey
If I change the acl to to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" attrs="sendmailMTAKey" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
The ldapsearch is not returning any object. How to resolve this?
However attributes of cn=test,ou=People,dc=example,dc=com are not working.
Anyone there?
-----Original Message----- To: openldap-technical Subject: RE: Acl attribute access
I had to add objectClass to Dan's example to get this to work. Not sure if this is the correct approach though.
access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read by * break
[1] https://www.openldap.org/faq/data/cache/429.html
-----Original Message----- To: openldap-technical Subject: Acl attribute access
If I have this acl: to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
I can access with this ldap search: ldapsearch -LLL -W -s sub -b "sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaa aa,dc=local" -D "uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=local" -H ldaps://ldap.local sendmailMTAKey
If I change the acl to to dn="sendmailMTAKey=test@bbbbb.com,ou=eeee,ou=ddddd,ou=ccccc,dc=bbbbb,dc= aaaaa,dc=local" attrs="sendmailMTAKey" by ssf=64 dn.exact="uid=acctest,ou=ffff,ou=ddddd,ou=ccccc,dc=bbbbb,dc=aaaaa,dc=loc al" read
The ldapsearch is not returning any object. How to resolve this?
Now I have that either works, but not both. Reversing these rules also does not work (with keeping the continue at 5)
{5} access to dn.subtree="ou=People,dc=example,dc=com" by dn="cn=outsourced_bla,dc=example,dc=com" read by * continue {6} access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read
Any help possible?
You are confusing “continue” with “break”.
On Aug 31, 2020, at 9:22 AM, Marc Roos M.Roos@f1-outsourcing.eu wrote:
Now I have that either works, but not both. Reversing these rules also does not work (with keeping the continue at 5)
{5} access to dn.subtree="ou=People,dc=example,dc=com" by dn="cn=outsourced_bla,dc=example,dc=com" read by * continue {6} access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read
Any help possible?
// John Pfeifer Division of Information Technology University of Maryland, College Park
Hmm, I am not to familiar with the acl's. I have solved it now by duplicating the by lines to the other section something like this
{5} access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read by dn="cn=outsourced_bla,dc=example,dc=com" read {6} access to dn.subtree="ou=People,dc=example,dc=com" by dn="cn=outsourced_bla,dc=example,dc=com" read
But I am not to pleased with this solution either. I had to create a new account and save the password on a client, while user account dn's are available there, and they should access these 'own' attributes.
https://www.mail-archive.com/openldap-technical@openldap.org/msg25113.html
-----Original Message----- To: openldap-technical Subject: Re: Now combining acl attribute access with regular access fails
You are confusing “continue” with “break”.
On Aug 31, 2020, at 9:22 AM, Marc Roos M.Roos@f1-outsourcing.eu
wrote:
Now I have that either works, but not both. Reversing these rules also
does not work (with keeping the continue at 5)
{5} access to dn.subtree="ou=People,dc=example,dc=com" by dn="cn=outsourced_bla,dc=example,dc=com" read by * continue {6} access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read
Any help possible?
// John Pfeifer Division of Information Technology University of Maryland, College Park
--On Monday, August 31, 2020 9:10 PM +0200 Marc Roos M.Roos@f1-outsourcing.eu wrote:
But I am not to pleased with this solution either. I had to create a new account and save the password on a client, while user account dn's are available there, and they should access these 'own' attributes.
Read the slapd.access(5) man page to learn about ACLs.
https://www.mail-archive.com/openldap-technical@openldap.org/msg25113.html
Why are you referencing some random archiving site? Archives are available at https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Where can I get some support on these acl's?
-----Original Message----- To: openldap-technical Subject: Now combining acl attribute access with regular access fails
Now I have that either works, but not both. Reversing these rules also does not work (with keeping the continue at 5)
{5} access to dn.subtree="ou=People,dc=example,dc=com" by dn="cn=outsourced_bla,dc=example,dc=com" read by * continue {6} access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost" by dn="cn=outsourced_ironport,dc=example,dc=com" read
Any help possible?
openldap-technical@openldap.org
-
John C. Pfeifer -
Marc Roos -
Quanah Gibson-Mount