[Date Prev][Date Next] [Chronological] [Thread] [Top]

Permissions required to perform OU/DN filtering?

To: openldap-technical@openldap.org
Subject: Permissions required to perform OU/DN filtering?
From: Philip Colmer <philip.colmer@linaro.org>
Date: Tue, 23 Oct 2018 10:47:46 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=nlWZXOGOBYgjdIjeEQVYdeORYwzkEJxPAM8zobOPEtA=; b=MQEZp0U6qyRqckR+y9kYSL0L7wv9hoyEWXAlsZAAWUGmcZtl9efYssHinrVq9wtRbY 56f8MVXnutjGSh7R0Gft5dVk/r/KHNSQrs+ANiajGmtBeP2qVoeNqmEEttV80cZFU/V1 YD8S2oCfodRKOy6WAFi46foE0kHEtPqGa0YAM=

I'm trying to use the following search filter:

(&(objectClass=organizationalPerson)(!(ou:dn:=external-community))(memberOf=cn=users,ou=mailing,ou=groups,dc=linaro,dc=org))

If I use an admin account, the search works. If I use a restricted
account, the search doesn't work. The restricted account is only
allowed to retrieve a subset of attributes, e.g.:

add: olcAccess
olcAccess: to dn.children="dc=linaro,dc=org"
  filter=(objectClass=organizationalUnit)
  attrs=entry,description,organizationalStatus,mail,jpegPhoto,@organizationalUnit
  by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read

add: olcAccess
olcAccess: to dn.children="dc=linaro,dc=org"
  filter=(objectClass=inetOrgPerson)
  attrs=businessCategory,jpegPhoto,labeledURI,roomNumber,modifyTimestamp,employeeNumber,memberOf
  by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read

(That is only a snippet of our configuration)

What do I need to grant read access to in order to get the search
filter to work with restricted accounts?

Thanks.

Philip

Follow-Ups:
- Re: Permissions required to perform OU/DN filtering?
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: nonpresent_callback present UUID in logs
Next by Date: Re: Permissions required to perform OU/DN filtering?
Index(es):
- Chronological
- Thread