Re: Can't read attribute except as root

[Indexer <indexer@internode.on.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 20/12/2010, at 23:29, Richard Connon wrote:

> Hi. I'm having some trouble reading certain attributes using non-root DNs on my directory.
> My olcAccess attributes on the relevant database are these:
> 
> olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell,gecos  by self write  by anonymous auth  by * none
> olcAccess: {1}to *  by * read
> 
> My understanding suggests that the second line should allow any user and even anonymous to read all attributes but I can't read the loginShell attribute as anonymous


No, this is correct. 

The ACL's are evaluated in order. So in your query, the login shell is matched by the first ACL, and anonymous can only use it for binding

If it were another attribute, lets say UID, this wont match the first ACL, and will go down to the second one.

The general rule is targeted ACLs first, then generalised ones after. 

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJND3+0AAoJEHF16AnLoz6JY50P/0CBVGhvVraJFyluW0JhB58u
mBjbZJFz+quNEqQRme0bAhOFyVfiZQHoPufwZa7Q1E0RaM5HJ7J3R1r6axQhc+qo
VW7XOErPju3P/mXvj3b5HuTOW0tA3ODBtXqOgEc1QbaZMYD2wIZpmjavNfYWNN/A
VdMYRdK3IqvLsrjFDThy15K/o6t/n67WH4TB+e1aG8Br+ovCsdXow/bMKHArzF9+
m1lEfVqBW/wZ2kBrGnQSw2cAwE9wCU3JYI1i4hNXcy+l+I+cKyLH1QJz2f2ZzYWL
8J9CRGxWJuStWYuH4mL7VB+coJ9USk7fAjGfHWFnwy4WsvsiLOTAzsDSRJCx/ZVR
RWkYc642bjVIFRGIe0H6FUk9ahv1dq1wCJyFbhY3dDlOrpWtSgTwTEgvOXt7XHU4
Ig35Gxigpd2LDXVKTsZm20AUbTUNUrThmN5chhfhcqBeURinVZD8qnVWe4UAXzKj
JEzHmRRouO8ypjHCBEmgaaQHC02zGFk/AXF8HD5phBl6ryikaXgNLWSCMYD8ygjZ
s5wjKa4kydXkhqL+ZRHNH/5vGseACHRPcffMBzFlYBMaIJWpr5ZnXh4rlkUkTQHG
CZ801ub7kzOL++cJQM7lwj8wJgsp1XNyZ8iKnNIMD39o2ScbfpiGSA66D7xkMKe2
cmI/cevQpjOIpU0UHSU4
=g4QZ
-----END PGP SIGNATURE-----