[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list - limiting access to attribute

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: Access list - limiting access to attribute
From: Lukas Kubin <kubin@opf.slu.cz>
Date: Tue, 13 Apr 2004 18:15:33 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <HBF.20040413ory@bombur.uio.no>
Organization: Silesian university in Opava
References: <407BECF6.1060106@opf.slu.cz> <HBF.20040413ory@bombur.uio.no>
User-agent: Mozilla Thunderbird 0.5 (X11/20040306)

Hallvard B Furuseth wrote:

Lukas Kubin writes:

I need to limit access to mail-related attributes of my users' tree.
I created the following acl entries:

access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
  attrs=mail
  by dn="cn=admin,dc=two,dc=com$$" write
  by self write
  by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
  by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
  by dn="cn=admin,dc=two,dc=com$$" write
  by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
  by self read

But I still cannot make user "mailBrowser" to browse the attribute "mail". It cannot access it unless it is given same privileges as user "usersBrowser" has. But it can see all other attributes then.

I see what you are trying to do now.  The problem is, a user can't read
an attribute unless it also have access to the entry which contains that
attribute.

You can grant mailBrowser 'entry' access, which just grants access to
the entry without granting access to the attributes in it.  I'm not sure
just what 'entry' access allows mailBrowser to do with the entry, but at
least it's more restrictive than giving mailBrowser full access:

OK. I created another rule granting access to "entry". However it didn't work until I had appended "objectClass" there too. So, now I have.

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
   attrs=entry,objectClass
   by dn.exact="cn=admin,dc=two,dc=com" write
   by self read
   by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
   attrs=mail
   by dn.exact="cn=admin,dc=two,dc=com" write
   by self write
   by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
   by dn.exact="cn=admin,dc=two,dc=com" write
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
   by self read

I found in log that the system is requesting access to objectClass. I don't understand, why? I don't use any filter when testing the ldapsearch.

lukas

--
Lukas Kubin

phone: +420596398275
email: kubin@opf.slu.cz

Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: Access list - limiting access to attribute
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

References:
- Access list - limiting access to attribute
  - From: Lukas Kubin <kubin@opf.slu.cz>
- Re: Access list - limiting access to attribute
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: SSL certificates, kerberos keytabs, and load balancing
Next by Date: Re: Regex dn match
Index(es):
- Chronological
- Thread