[Date Prev][Date Next]
Re: Access list - limiting access to attribute
Lukas Kubin writes:
>Hallvard B Furuseth wrote:
>> You can grant mailBrowser 'entry' access, which just grants access to
>> the entry without granting access to the attributes in it. I'm not sure
>> just what 'entry' access allows mailBrowser to do with the entry, but at
>> least it's more restrictive than giving mailBrowser full access:
> OK. I created another rule granting access to "entry". However it didn't
> work until I had appended "objectClass" there too.
Oh. I forgot you have to find the entry:-)
> I found in log that the system is requesting access to objectClass. I
> don't understand, why? I don't use any filter when testing the ldapsearch.
The LDAP standard requires a filter. "(objectClass=*)" is the standard
LDAP filter which means "match everything". Ldapsearch uses that if you
do not specify a filter. I used the filter "(&)", the "TRUE filter"
extension, when I tested the reply I sent you, so it worked for me
without giving access to objectClass.
BTW, if you do not wish to rely on extensions like (&), it should be
enough to grant 's' access to objectClass, so mailBrowser can search for
but not read objectClass. See the slapd.access manpage.