BÖSCH Christian wrote: >> On 26 Jan 2016, at 12:23 , Michael Ströder <michael@stroeder.com> wrote: >> >> BÖSCH Christian wrote: >>> i’m using this acl: >>> >>> {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none >>> >>> but members of the group can still access the attribute Hidden. >>> with any filter it does not work. >>> if i use a single dn it works. >>> >>> seems to me filters do not work? >> >> ..or there is another ACL applied before reaching this ACL. > > no, it’s the first acl entry. Without seeing the complete configuration one can only guess. Note that global ACLs in cn=config are also applied. > below is the debug. do you see something suspicious? I won't debug your ACLs. It's your homework, especially because you're the only one who has all the necessary information. > Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden > Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested > Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) > Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net > Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" > Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 > Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) > Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) > Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) > Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) > Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection! You have to check why there is read access granted. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature