[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Permissions required to perform OU/DN filtering?

On 10/23/18 11:47 AM, Philip Colmer wrote:
> I'm trying to use the following search filter:
> 
> (&(objectClass=organizationalPerson)(!(ou:dn:=external-community))
> (memberOf=cn=users,ou=mailing,ou=groups,dc=linaro,dc=org))>
> If I use an admin account, the search works. If I use a restricted
> account, the search doesn't work.

Summary:
You have to grant search privilege to all attributes used in the filter
and read access to pseudo-attribute 'entry' and all other attributes to
be returned in search results.

> The restricted account is only
> allowed to retrieve a subset of attributes, e.g.:
> 
> add: olcAccess
> olcAccess: to dn.children="dc=linaro,dc=org"
>   filter=(objectClass=organizationalUnit)
>   attrs=entry,description,organizationalStatus,mail,jpegPhoto,@organizationalUnit
>   by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
> 
> add: olcAccess
> olcAccess: to dn.children="dc=linaro,dc=org"
>   filter=(objectClass=inetOrgPerson)
>   attrs=businessCategory,jpegPhoto,labeledURI,roomNumber,modifyTimestamp,employeeNumber,memberOf
>   by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read

Attribute 'entry' is missing here?

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature