[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6479) olcAccess filter does not work

> >
> > olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=*)
> > attrs=cn,email,entry,objectClass,uid by * read
> >
> > works ok, changing the olcAccess filter to e.g. person
> >
> > olcAccess {3}to dn.subtree="dc=site" filter=(objectclass=person)
> > attrs=cn,email,entry,objectClass,uid by * read
> >
> > gives no results
> Given that this is specifically tested by test006, and this test routinely
> passes, and considering how incomplete your report is, I recommend you
> provide a means to easily reproduce the issue (e.g. detailed slapd.conf,
> LDIF data and details about the unsuccessful operation) in order to have
> this issue report processed further.
> p.

Hello p.,

so, if I got you right, this 'test006' states, that this must be a
configuration error and I better move on to the support Mailinglist
or somewhere else.

If this should not be the case, here's what i've got:

There's no slapd.conf, it's empty

# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig  
objectClass: olcHdbConfig       
olcDatabase: {1}hdb             
olcDbDirectory: /var/lib/ldap   
olcSuffix: dc=site              
olcRootDN: cn=admin,dc=site     
olcRootPW: xxxxxxxxxxxxxxxx
olcDbCacheSize: 10000                                
olcDbCheckpoint: 1024 5                              
olcDbIDLcacheSize: 30000                             
olcDbIndex: objectclass eq                           
olcDbIndex: uidNumber eq                             
olcDbIndex: gidNumber eq                             
olcDbIndex: member eq
olcDbIndex: memberUid eq
olcDbIndex: mail eq
olcDbIndex: cn eq,sub
olcDbIndex: displayName eq,sub
olcDbIndex: uid eq,sub
olcDbIndex: sn eq,sub
olcDbIndex: givenName eq,sub
olcAccess: {0}to attrs=userPassword by self write by * auth
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to attrs=userPKCS12 by self read by * none
olcAccess: {3}to dn.subtree="dc=site" filter=(objectclass=inetOrgPerson) attrs
 =cn,email,entry,objectClass,uid by * read
olcAccess: {4}to * by * none

I've only access to the test system now, so the dc and objectclass is different.

Here is the only user:

# test, people, site
dn: uid=test,ou=people,dc=site
cn: test test
gidNumber: 100
givenName: test
homeDirectory: /home/test
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: test
uid: test
uidNumber: 1001

If I do an ldapsearch -x -b ou=people,dc=site or as test User
there are no results.

What I want to achieve is Anonymous and User read access only to
inetOrgPerson Entries and special attributes, nothing else. No groupOfNames or device Entries in the subtree.


NEU: Mit GMX DSL über 1000,- ¿ sparen!