[Date Prev][Date Next]
Re: Re: ACL problem, restrict access to several attributes
>> im trying to get an openldap server (2.3.) running with acl restricting access to special attributes
>> tb_READ should be allowed to search in the ou people but must not read any attributes then telephoneNumber, cn, sn, uid...
>> so i added this access rule to my slapd.conf :
>> access to dn.subtree="ou=people,dc=example,dc=com" attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
>> by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
>If you don't allow access to the "entry" attribute somewhere else, that's why it >doesn't work:
>(Quoting Adminguide23, 6.3.1)
>"To read (and hence return) a target entry, the subject must have read access to >the target's entry attribute."
>Christian Marg mail : mailto:firstname.lastname@example.org
>Dezernat 2 TU Clausthal web : http://www.tu-clausthal.de
>D-38678 Clausthal-Zellerfeld fon : 05323/72-2107
>Germany jabber: email@example.com
i added "entry" and "objectClass" to the "attrs" and searching works fine too