Re: ACL to permit access to some attributes

["José M. Fandiño" <ldap@fadesa.es>]

Quanah Gibson-Mount wrote:
> 
> --On Friday, April 02, 2004 12:21 PM +0200 "José M. Fandiño"
> <ldap@fadesa.es> wrote:
> 
> > => access_allowed: read access to "uid=00010,dc=fadesa,dc=es" "entry"
> 
> Your problem is coming right here.
> 
> I suggest you add the following acl:
> 
> access to attrs=entry
>    by * read
> 
> near the top of your ACLs
> 
> I was told at one point that this was not necessary anymore, but I have
> kept it in my ACL files, and you seem to be hitting the same issue.

Quanah, you hit the nail on the head with that one, thanks you.

even using an ACL like this returns all requested attributes.

access to dn.children="dc=fadesa,dc=es" attrs=entry,mail 
	by * read

# ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" '(mail=*)'
.
.
# 00010, fadesa.es
dn: uid=00010,dc=fadesa,dc=es
mail: perico@foo.bar

However, A question that remains unanswered for me, and perhaps
someone on the list can explain it, is what's the difference between
using "attrs=userPassword" (in a typical password access restriction
ACL) and "attrs=mail" (in my ACL). Why I need add "entry" for mail 
and not for userPassword.

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------