2 top level domains and acls

[ben.norman@qmunity.net]

i have two top level domains in my openldap directory: example.local and
other.local
I have installed the suse93 packaged openldap server version 2.2.23.
I would like to declare the following permissions:
1. "cn=Manager,dc=example,dc=local" and "cn=writer,dc=example,dc=local" can
read, write and authenticate. ie do anything in both domains ...
2. "cn=reader,dc=example,dc=local can read anything in both domains.
3. "cn=publicreader,dc=example,dc=local" can read mail, sn, givenname in
example.local only.
I was expecting the results of my test for public reader to give the sn and
givenName for Joe Bloggs. It does not.

What am i doing wrong?
Do i need to supply different acls or acls just in a different order?

#slapd.conf file
###############################################################################

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/rfc2307bis.schema
include     /etc/openldap/schema/samba3.schema
include     /etc/openldap/schema/yast.schema

pidfile     /var/run/slapd/slapd.pid
argsfile    /var/run/slapd/slapd.args

access to attrs=userPassword
    by anonymous                                auth
    by *                                        none

access to attrs=sn,givenName
    by users                                    read
    by *                                        none

access to *
    by dn="cn=Manager,dc=example,dc=local"   write
    by dn="cn=writer,dc=example,dc=local"    write
    by dn="cn=reader,dc=example,dc=local"    read
    by *                                        none

database    ldbm
suffix      "dc=other,dc=local"
suffix      "dc=example,dc=local"
rootdn      "cn=Manager,dc=example,dc=local"
rootpw      secret
directory   /var/lib/ldap

index   objectClass eq

This is a population script that i run to populate the directory.
###############################################################################
:

rcldap stop
rm /var/lib/ldap/*
rcldap start

ldapadd -xWD "cn=Manager,dc=example,dc=local" <<HERE

dn: dc=example,dc=local
objectClass: dcObject
objectClass: organization
o: Sparke Helmore
dc: example

dn: dc=other,dc=local
objectClass: dcObject
objectClass: organization
o: Non Sparke Helmore Organisations
dc: other

dn: cn=reader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: reader
userPassword: secret

dn: cn=writer,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: writer
userPassword: secret

dn: cn=publicreader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: publicreader
userPassword: secret

dn: uid=BDN,dc=example,dc=local
objectClass: inetorgPerson
uid: BDN
sn: Bloggs
givenName: Joe
cn: Joe Bloggs

HERE

# This is the results of an ldapsearch using reader. results are as expected
....
###############################################################################
l0027:~/work # ldapsearch -D "cn=reader,dc=example,dc=local" -xb
"dc=example,dc=local" -w secret
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# example.local
dn: dc=example,dc=local
objectClass: dcObject
objectClass: organization
o: Sparke Helmore
dc: example

# reader, example.local
dn: cn=reader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: reader

# writer, example.local
dn: cn=writer,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: writer

# publicreader, example.local
dn: cn=publicreader,dc=example,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: publicreader

# BDN, example.local
dn: uid=BDN,dc=example,dc=local
objectClass: inetOrgPerson
uid: BDN
sn: Bloggs
givenName: Joe
cn: Joe Bloggs

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5

# These are the results of an ldapsearch using public reader. I was expecting
# to see the sn and givenName for Joe Bloggs but found nothing
###############################################################################

l0027:~/work # ldapsearch -D "cn=publicreader,dc=example,dc=local" -xb
"dc=example,dc=local" -w secret
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

thanks
ben


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.