[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem, restrict access to several attributes

To: mheinric@imn.htwk-leipzig.de, openldap-software@openldap.org
Subject: Re: ACL problem, restrict access to several attributes
From: Christian Marg <marg@rz.tu-clausthal.de>
Date: Fri, 11 Jan 2008 18:10:19 +0100
In-reply-to: <20080111135802.051E3213AB@mail.imn.htwk-leipzig.de>
Organization: Rechenzentrum TU Clausthal
References: <20080111135802.051E3213AB@mail.imn.htwk-leipzig.de>
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

mheinric@imn.htwk-leipzig.de wrote:

Hi

im trying to get an openldap server (2.3.) running with acl restricting access to special attributes

tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...

so i added this access rule to my slapd.conf :

access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
	by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read

If you don't allow access to the "entry" attribute somewhere else, that's why it doesn't work:

(Quoting Adminguide23, 6.3.1) "To read (and hence return) a target entry, the subject must have read access to the target's entry attribute."

bye
Christian
--
Christian Marg                    mail  : mailto:marg@rz.tu-clausthal.de
Dezernat 2 TU Clausthal           web   : http://www.tu-clausthal.de
D-38678 Clausthal-Zellerfeld      fon   : 05323/72-2107
Germany                           jabber: ifcma@jabber.tu-clausthal.de

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- ACL problem, restrict access to several attributes
  - From: <mheinric@imn.htwk-leipzig.de>

Prev by Date: Re: rewriting search scope
Next by Date: Re: ACL problem, restrict access to several attributes
Index(es):
- Chronological
- Thread