Re: question regarding ACLs

["Dieter Kluenter" <dieter@dkluenter.de>]

"Kick, Claus" <claus.kick@siemens.com> writes:

> Hello all,
>
> Since there is some time, I figured I rectify our openldap configuration
> and use proper ACLs.
>
> We are using the following version on Solaris 10:
[...]
> Our user subtree is organized as shown below:
>
>
> o=suffix
>
> ou=people,o=suffix
>
> uid=kdz,ou=people,o=suffix
>
> uid=hyc,ou=people,o=suffix
>
> ou=removed_accounts,ou=people,o=suffix
>
> uid=abcd,ou=removed_accounts,ou=people,o=suffix
>
> uid=efgh,ou=removed_accounts,ou=people,o=suffix
>
>
> Basically, I want a getent passwd not to list entries below
> ou=removed_accounts,ou=people,o=suffix, for a client application still
> considers the removed accounts as users (it probably searches the whole
> subtree).
>
> I read the documentation for 2.3:
>
> http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control
> <http://www.openldap.org/doc/admin23/slapdconfig.html> 
>
> And found this:
>
> The scope can be either base, one, subtree, or children. Where base
> matches only the entry with provided DN, one matches the entries whose
> parent is the provided DN, subtree matches all entries in the subtree
> whose root is the provided DN, and children matches all entries under
> the DN (but not the entry named by the DN).
>
> So, I figured that an ACL (no global ACLs any longer) like this
>
> access to dn.one="ou=People,o=suffix" by * write
>
> Should hide the removed accounts and only show the active ones.
>
> But it does not, it still contains all the children of 
>
> ou=removed_accounts,ou=people,o=suffix
>
> And of
>
> ou=people,o=suffix
>
> Using dn.base="ou=People,o=suffix" by * write
> Where am I making a mistake?

access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none
access to dn.one=ou=people,o=suffix by * write

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6