Antw: Re: Permissions required to perform OU/DN filtering?

["Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>]

Hi!

A related interesting question: Are the ACL permissions for attributes needed
to do the actual matching of entries, or are they only used to add the
attributes of the matched entries to the result set? I was wondering what
"entry" actually is, and I imagine if LDAP search could return the count of
matching entries only (i.e. no attributes at all), that could be relevant....

Regards,
Ulrich

>>> Michael Ströder <michael@stroeder.com> schrieb am 23.10.2018 um 12:07 in
Nachricht <155dbd7d-c3f4-fe5e-601e-c2e3d14d0805@stroeder.com>:
> On 10/23/18 11:47 AM, Philip Colmer wrote:
>> I'm trying to use the following search filter:
>> 
>> (&(objectClass=organizationalPerson)(!(ou:dn:=external-community))
>> (memberOf=cn=users,ou=mailing,ou=groups,dc=linaro,dc=org))>
>> If I use an admin account, the search works. If I use a restricted
>> account, the search doesn't work.
> 
> Summary:
> You have to grant search privilege to all attributes used in the filter
> and read access to pseudo-attribute 'entry' and all other attributes to
> be returned in search results.
> 
>> The restricted account is only
>> allowed to retrieve a subset of attributes, e.g.:
>> 
>> add: olcAccess
>> olcAccess: to dn.children="dc=linaro,dc=org"
>>   filter=(objectClass=organizationalUnit)
>>   
>
attrs=entry,description,organizationalStatus,mail,jpegPhoto,@organizationalUn
> it
>>   by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
>> 
>> add: olcAccess
>> olcAccess: to dn.children="dc=linaro,dc=org"
>>   filter=(objectClass=inetOrgPerson)
>>   
>
attrs=businessCategory,jpegPhoto,labeledURI,roomNumber,modifyTimestamp,employ
> eeNumber,memberOf
>>   by group="cn=binder-group,ou=binders,dc=linaro,dc=org" read
> 
> Attribute 'entry' is missing here?
> 
> Ciao, Michael.