[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap proxy acl filter problem


(OpenLDAP version 2.4.23)

I have a filter expression in an ACL that is somehow affecting my
ability to retrieve specific attributes.  What's strange (to me) is that
with or without the filter expression in place, I can retrieve all
attributes, i.e. the full object.

4986# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)'
dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
yDirectoryID: c44883ba-ac62-d28c-556f-99ccbf532da7
objectClass: yAccount
objectClass: inetOrgPerson
uid: rpeterso
mail: rpeterso@mtholyoke.edu

But if I specify a particular attribute, then having the filter
expression in place somehow inhibits my ability to retrieve the specific

Without filter expression:

4987# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail
dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
mail: rpeterso@mtholyoke.edu

With filter expression in place:

4990# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail
dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email

The ACL in question looks like:

access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))"
       by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by * none

I've turned my logging way up, and the hiccup seems to be that the DN
I've authenticated as
(uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read
access to the attributes in the filter expression.  But how do I give
that account read access to those attributes, without then exposing the
objects that I'm trying to hide with the filter expression?

Ron Peterson
Network & Systems Administrator
Mount Holyoke College