Lukas Kubin writes:
Hallvard B Furuseth wrote:
You can grant mailBrowser 'entry' access, which just grants access to the entry without granting access to the attributes in it. I'm not sure just what 'entry' access allows mailBrowser to do with the entry, but at least it's more restrictive than giving mailBrowser full access:
OK. I created another rule granting access to "entry". However it didn't work until I had appended "objectClass" there too.
Oh. I forgot you have to find the entry:-)
I found in log that the system is requesting access to objectClass. I don't understand, why? I don't use any filter when testing the ldapsearch.
The LDAP standard requires a filter. "(objectClass=*)" is the standard LDAP filter which means "match everything". Ldapsearch uses that if you do not specify a filter. I used the filter "(&)", the "TRUE filter" extension, when I tested the reply I sent you, so it worked for me without giving access to objectClass.
BTW, if you do not wish to rely on extensions like (&), it should be enough to grant 's' access to objectClass, so mailBrowser can search for but not read objectClass. See the slapd.access manpage.
Perfect, thank you!
-- Lukas Kubin
phone: +420596398275 email: firstname.lastname@example.org
Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz
Description: S/MIME Cryptographic Signature