[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL problem, restrict access to several attributes


im trying to get an openldap server (2.3.) running with acl restricting access to special attributes

tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...

so i added this access rule to my slapd.conf :


access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
	by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read


after restarting slapd I checked the result of ldapsearch but it returns nothing :

ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b "ou=people,dc=example,dc=com" -W 

# extended LDIF
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# search result
search: 3
result: 0 Success

accessing the attributes by ldapcompare works fine :

ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W "uid=kheine,ou=people,dc=example,dc=com" telephoneNumber:1234

returns TRUE

so the rule seems to work for comparing, but not for searching entries in ou=people

i searched in the archives for more examples of using "attrs" and "dn.subtree", but found only configs where it seems to work this way

the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so i can not find the reason why my configuration is not working.

Please help me finding an approach to solve this problem, thanks for every advice

NOCC, http://nocc.sourceforge.net