|
Hello,
I am trying to configure my openldap server to allow a user to
read a list of users only if they have the "host" attribute with a
specific value, for instance "csa". I am using rhel 6, openldap
2.4.23 server. When I have the following 2 acl's, the user Admin
can get the full contents of the 'abc' container:
access to attrs=userPassword
by dn="uid=0,dc=aa,dc=bb,dc=cc" write
by * auth
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read
When I change the 2nd acl as follows, I get no response at all:
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" read
There are a few records in the abc container which have the
attribute host with the 'csa' value. I have tried to give search
permission to the entire container and then add the permission of
read only to the filter as follows:
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc"
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" =cs
access to dn.subtree="ou=abc,dc=aa,dc=bb,dc=cc" filter=(host=csa)
by dn="uid=Admin,ou=Operators,dc=aa,dc=bb,dc=cc" +r
but I still don't get my list with ldapsearch. What am I missing
here?
Thanks in advance,
Dorit.
|