[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)
Kurt@OpenLDAP.org wrote:
>>Restricting access to specific attributes does not work properly.
>>
>>access to attrs=userPassword
>> by anonymous auth
>> by self read
>> by * none
>>
>># Restrict access to attr1 and attr2 if hideMe is set
>>access to dn.children="ou=People,dc=carleton,dc=edu" filter="hideme=*"
>> attrs=entry,attr1,attr2
>> by self read break
>> by users read
>> by * none
>>
>># If hideMe is NOT set (or if user=self), go ahead and reveal everything
>>access to *
>> by users read
>> by * none
>>
>>In the above case if a user (not self) binds to the directory (OpenLDAP
>>2.1.2), then the user can see everything, as if the second rule above were
>>not there - although a traceback shows that in fact that rule is applied.
>>Note that even if I change the "by users read" line in the second rule to
>>an explicit "by users read stop" the problem still persists.
>
> The behavior you describe is consistent with your ACLs.
From the documentation, you'd expect the first 'by users read'
clause above to apply and block processing before the 'access to *'
rule applies. This is the behavior I expected from the documen-
tation. And it's the behavior that actually makes sense to me -
although I freely admit that I'm new to OpenLDAP.
--
Richard Goerwitz richard@Goerwitz.COM
tel: 507 645 7015