(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Answer) How do I grant access to a subset of attributes?
You can grant access to a set of attributes by specifying a list of attribute names in the ACL "to" clause. To be useful, you also need to grant access to the "entry" itself. Also note how "children" controls the ability to add, delete, and rename entries. 
# mail: self may write, authenticated users may read
access to attrs=mail
  by self write
  by users read
  by * none

# cn, sn: self my write, all may read
access to attrs=cn,sn
  by self write
  by * read

# immediate children: only self can add/delete entries under this entry
access to attrs=children
  by self write

# entry itself: self may write, all may read
access to attrs=entry
  by self write
  by * read

# other attributes: self may write, others have no access
access to *
  by self write
  by * none
ObjectClass names may also be specified in this list, which will affect all the attributes that are required and/or allowed by that objectClass. Actually, names in attrlist that are prefixed by @ are directly treated as objectClass names. A name prefixed by ! is also treated as an objectClass, but in this case the access rule affects the attributes that are not required nor allowed by that objectClass.

Note that it may be useful to define new objectclasses specifically for use in access lists. This allows the list of controlled attributes to be managed separately from the rules implementing the control.

For example, here are two objectclasses defined for this purpose: 

objectclass ( 1.2.826.0.1.3458854.666.3.1 NAME 'attrsetAnonVisible'
        DESC 'Attributes visible to anonymous users'
        AUXILIARY
        MAY ( objectclass $ cn $ sn $ displayname $ mail $ uniqueIdentifier )
        )
#
objectclass ( 1.2.826.0.1.3458854.666.3.2 NAME 'attrsetUserVisible'
        DESC 'Attributes visible to authenticated users'
        AUXILIARY
        MAY ( telephoneNumber )
        )
#

They could be used in rules like this: 

# Grant permissions for authenticated users
#
access to filter="(objectclass=person)"
        attrs="@attrsetAnonVisible,@attrsetUserVisible"
        by users read
        by * break
#
# Grant permissions for anonymous users
#
access to filter="(objectclass=person)"
        attrs="@attrsetAnonVisible"
        by * read

access to * by * none

andrew.findlay@skills-1st.co.uk

If you're using slapd.conf rules, and want to allow searches and then reads of certain attributes, you may need to add "entry" to the list of attributes you want to make available for things to work.

I wanted to allow an ironport mail appliance to only have access to a few attributes for the People tree.

I ended up with the following. without the attr "entry" it didn't work. 

access to dn.subtree="ou=People,dc=example,dc=com" attrs="entry,uid,cn,sn,mail,mailHost"
    by dn="cn=outsourced_ironport,dc=example,dc=com" read
    by * break


danpritts@yahoo.com
[Append to This Answer]
Previous: (Answer) How do I use groups to manage access control?
Next: (Answer) How do I allow a user write to all entries below theirs?
This document is: http://www.openldap.org/faq/index.cgi?file=429
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org