[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)



Kurt@OpenLDAP.org wrote:

>>Restricting access to specific attributes does not work properly.
>>
>>access to attrs=userPassword
>> by anonymous auth
>> by self read
>> by * none
>>
>># Restrict access to attr1 and attr2 if hideMe is set
>>access to dn.children="ou=People,dc=carleton,dc=edu" filter="hideme=*"
>> attrs=entry,attr1,attr2
>>   by self read break
>>   by users read
>>   by * none
>>
>># If hideMe is NOT set (or if user=self), go ahead and reveal everything
>>access to *
>> by users read
>> by * none
>>
>>In the above case if a user (not self) binds to the directory (OpenLDAP
>>2.1.2), then the user can see everything, as if the second rule above were
>>not there - although a traceback shows that in fact that rule is applied.
>>Note that even if I change the "by users read" line in the second rule to
>>an explicit "by users read stop" the problem still persists.
>
> The behavior you describe is consistent with your ACLs.

 From the documentation, you'd expect the first 'by users read'
clause above to apply and block processing before the 'access to *'
rule applies.  This is the behavior I expected from the documen-
tation.  And it's the behavior that actually makes sense to me -
although I freely admit that I'm new to OpenLDAP.

-- 

Richard Goerwitz                               richard@Goerwitz.COM
tel: 507 645 7015