BÖSCH Christian wrote:
>> On 26 Jan 2016, at 12:23 , Michael Ströder <michael@stroeder.com> wrote:
>>
>> BÖSCH Christian wrote:
>>> i’m using this acl:
>>>
>>> {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
>>>
>>> but members of the group can still access the attribute Hidden.
>>> with any filter it does not work.
>>> if i use a single dn it works.
>>>
>>> seems to me filters do not work?
>>
>> ..or there is another ACL applied before reaching this ACL.
>
> no, it’s the first acl entry.
Without seeing the complete configuration one can only guess.
Note that global ACLs in cn=config are also applied.
> below is the debug. do you see something suspicious?
I won't debug your ACLs. It's your homework, especially because you're the only
one who has all the necessary information.
> Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden
> Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested
> Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0)
> Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net
> Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net"
> Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256
> Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop)
> Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd)
> Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd)
> Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd)
> Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!
You have to check why there is read access granted.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature