[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list - limiting access to attribute

Hallvard B Furuseth wrote:
Lukas Kubin writes:

Hallvard B Furuseth wrote:

You can grant mailBrowser 'entry' access, which just grants access to
the entry without granting access to the attributes in it.  I'm not sure
just what 'entry' access allows mailBrowser to do with the entry, but at
least it's more restrictive than giving mailBrowser full access:

OK. I created another rule granting access to "entry". However it didn't work until I had appended "objectClass" there too.

Oh.  I forgot you have to find the entry:-)

I found in log that the system is requesting access to objectClass. I don't understand, why? I don't use any filter when testing the ldapsearch.

The LDAP standard requires a filter.  "(objectClass=*)" is the standard
LDAP filter which means "match everything".  Ldapsearch uses that if you
do not specify a filter.  I used the filter "(&)", the "TRUE filter"
extension, when I tested the reply I sent you, so it worked for me
without giving access to objectClass.

BTW, if you do not wish to rely on extensions like (&), it should be
enough to grant 's' access to objectClass, so mailBrowser can search for
but not read objectClass.  See the slapd.access manpage.

Perfect, thank you!

Btw. I have one more question: What is "TRUE filter extension" you mentioned?



Lukas Kubin

phone: +420596398275
email: kubin@opf.slu.cz

Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature