> On 26 Jan 2016, at 12:23 , Michael Ströder <michael@stroeder.com> wrote: > > BÖSCH Christian wrote: >> i’m using this acl: >> >> {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none >> >> but members of the group can still access the attribute Hidden. >> with any filter it does not work. >> if i use a single dn it works. >> >> seems to me filters do not work? > > ..or there is another ACL applied before reaching this ACL. no, it’s the first acl entry. > > Debug this with log level "acl”. below is the debug. do you see something suspicious? thanks, christian Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=default,ou=ppolicies,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (userPassword) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access to "uid=user1,ou=people,o=abc.net" "userPassword" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [3] attr userPassword Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "userPassword" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: self Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: anonymous Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] applying auth(=xd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] mask: auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: auth access granted by auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access granted by auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "o=abc.net" "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "o=abc.net", attr "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "uid" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr uid Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "uid" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (Hidden) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "objectClass" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection! > > Ciao, Michael. >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature