Re: Limiting attributes through ACL

["Pierangelo Masarati" <ando@sys-net.it>]

[please keep replies on the list]

>>Dan Ciarniello wrote:

>># anyone can see the cn of inetOrgPersons
>>access to filter="(objectClass=inetOrgPerson)" attrs=cn
>>	by * read
>>
>># only users can see anything else of inetOrgPersons
>>access to filter="(objectClass=inetOrgPerson)"
>>	by users read

> Unfortunately, that doesn't seem to do it.  I set the above filters but
> I still get back all attributes when binding anonymously (using
> JXplorer).  I don't know if it makes a difference but I'm using OpenLDAP
> 2.2 rather than 2.4.

Well, apart from any consideration strictly related to your issue, you
should be using 2.3 (2.4 is not released yet but in alpha, so it's not
recommended).

The fact that the above rules do not seem to work sounds odd, as they're
known to work as suggested.  How can you tell they ever get used?  Did you
run slapd with "acl" debug level enabled (with 2.2, OR 128 to the log
level).  My guess is that you have broader ACLs in place that get called
before the suggested ones.  I suggest you post your entire slapd.conf
(after appropriate sanitization for any sensistive info).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------