[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Permissions required to perform OU/DN filtering?
- To: openldap-technical@openldap.org
- Subject: Permissions required to perform OU/DN filtering?
- From: Philip Colmer <philip.colmer@linaro.org>
- Date: Tue, 23 Oct 2018 10:47:46 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=nlWZXOGOBYgjdIjeEQVYdeORYwzkEJxPAM8zobOPEtA=; b=MQEZp0U6qyRqckR+y9kYSL0L7wv9hoyEWXAlsZAAWUGmcZtl9efYssHinrVq9wtRbY 56f8MVXnutjGSh7R0Gft5dVk/r/KHNSQrs+ANiajGmtBeP2qVoeNqmEEttV80cZFU/V1 YD8S2oCfodRKOy6WAFi46foE0kHEtPqGa0YAM=
I'm trying to use the following search filter:
(&(objectClass=organizationalPerson)(!(ou:dn:=external-community))(memberOf=cn=users,ou=mailing,ou=groups,dc=linaro,dc=org))
If I use an admin account, the search works. If I use a restricted
account, the search doesn't work. The restricted account is only
allowed to retrieve a subset of attributes, e.g.:
add: olcAccess
olcAccess: to dn.children="dc=linaro,dc=org"
filter=(objectClass=organizationalUnit)
attrs=entry,description,organizationalStatus,mail,jpegPhoto,@organizationalUnit
by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
add: olcAccess
olcAccess: to dn.children="dc=linaro,dc=org"
filter=(objectClass=inetOrgPerson)
attrs=businessCategory,jpegPhoto,labeledURI,roomNumber,modifyTimestamp,employeeNumber,memberOf
by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
(That is only a snippet of our configuration)
What do I need to grant read access to in order to get the search
filter to work with restricted accounts?
Thanks.
Philip