Re: Permissions required to perform OU/DN filtering?

[Michael Ströder <michael@stroeder.com>]

On 10/23/18 1:19 PM, Philip Colmer wrote:
> On Tue, 23 Oct 2018 at 11:08, Michael Ströder <michael@stroeder.com> wrote:
>> Summary:
>> You have to grant search privilege to all attributes used in the filter
>> and read access to pseudo-attribute 'entry' and all other attributes to
>> be returned in search results.
>>
>> Attribute 'entry' is missing here?
> 
> It is, but adding it hasn't fixed the problem, I'm afraid.
> 
> For "ou:dn:=external-community" to work, what is the search actually
> looking at? I tried adding "dn" to the list of attributes to be
> readable but that then failed to import as a valid configuration.

You would rather have to grant search access to 'entryDN'.

But sorry, I  will not debug your ACLs.
You can start slapd with debug level for ACL debuggging.

Example:

slapd -h ... -d stats,acl

This will give you many log lines with details which permission is
requested for which entry and attribute.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature