[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list - limiting access to attribute

To: Lukas Kubin <kubin@opf.slu.cz>
Subject: Re: Access list - limiting access to attribute
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 13 Apr 2004 17:16:47 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <407BECF6.1060106@opf.slu.cz>
References: <407BECF6.1060106@opf.slu.cz>

Lukas Kubin writes:
> I need to limit access to mail-related attributes of my users' tree.
> I created the following acl entries:
> 
> access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
>    attrs=mail
>    by dn="cn=admin,dc=two,dc=com$$" write
>    by self write
>    by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
>    by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
> 
> access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
>    by dn="cn=admin,dc=two,dc=com$$" write
>    by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>    by self read
> 
> But I still cannot make user "mailBrowser" to browse the attribute 
> "mail". It cannot access it unless it is given same privileges as user 
> "usersBrowser" has. But it can see all other attributes then.

I see what you are trying to do now.  The problem is, a user can't read
an attribute unless it also have access to the entry which contains that
attribute.

You can grant mailBrowser 'entry' access, which just grants access to
the entry without granting access to the attributes in it.  I'm not sure
just what 'entry' access allows mailBrowser to do with the entry, but at
least it's more restrictive than giving mailBrowser full access:

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
   attrs=entry
   by dn.exact="cn=admin,dc=two,dc=com" write
   by self read
   by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
   attrs=mail
   by dn.exact="cn=admin,dc=two,dc=com" write
   by self write
   by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
   by dn.exact="cn=admin,dc=two,dc=com" write
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
   by self read

BTW, I changed cn=admin,dc=two,dc=com$$ (cn=admin or any subordinate
entry) to just cn=admin, which I expect is what you meant.

-- 
Hallvard

Follow-Ups:
- Re: Access list - limiting access to attribute
  - From: Lukas Kubin <kubin@opf.slu.cz>

References:
- Access list - limiting access to attribute
  - From: Lukas Kubin <kubin@opf.slu.cz>

Prev by Date: Re: Access list - limiting access to attribute
Next by Date: Re: Samba3 Schema
Index(es):
- Chronological
- Thread