[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to permit access to some attributes

To: ldap@fadesa.es
Subject: Re: ACL to permit access to some attributes
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 01 Apr 2004 10:36:50 -0800
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <406C438F.5B39E4AA@fadesa.es>
References: <406852D1.17DBB92B@fadesa.es> <2676543445.1080555809@cadabra.stanford.edu> <4069B1E0.3FFC53A@fadesa.es> <2761852313.1080641120@cadabra.stanford.edu> <406AAEA3.8FBFF216@fadesa.es> <65169568.1080726736@cadabra.stanford.edu> <406C438F.5B39E4AA@fadesa.es>

--On Thursday, April 01, 2004 6:30 PM +0200 "José M. Fandiño" <ldap@fadesa.es> wrote:

=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es"
"objectClass" requested => dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr objectClass
<= acl_get: done.
=> access_allowed: no more rules

You are filtering on objectclass = ?? but you haven't given access to the objectclasses for filtering. You can't filter on something that you haven't given access to. Right now, you need more acl's.

access to dn.children="dc=fadesa,dc=es" attrs=mail,objectclass
by * read

for example

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: ACL to permit access to some attributes
  - From: "José M. Fandiño" <ldap@fadesa.es>

References:
- Re: ACL to permit access to some attributes
  - From: "José M. Fandiño" <ldap@fadesa.es>

Prev by Date: Re: Syslog and OpenLDAP
Next by Date: RE: SASL Authentication Segfaults slapd: DoS
Index(es):
- Chronological
- Thread