[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Permissions required to perform OU/DN filtering?
- To: Philip Colmer <philip.colmer@linaro.org>
- Subject: Re: Permissions required to perform OU/DN filtering?
- From: Michael Ströder <michael@stroeder.com>
- Date: Tue, 23 Oct 2018 13:32:07 +0200
- Autocrypt: addr=michael@stroeder.com; prefer-encrypt=mutual; keydata= xsBNBFbdnRoBCADj0vYA4aRwKJ6AE4mf8oElLgMT/1eLNKpJ2FYBWcwj9d8dTk5/p9b8DRxy S/qQIUUZqt9xRFZwUCm0vFeQMRDeN9xzAKoRzrJifoDOacOjG1lhZTKYvVZGgUT89Ao3QeHh Q7gPzcAKNoueoR2y3FXStOYuRrbk5PlSjVAITjsotgc7PWE9mmVYpeu8a+byK/DBHKUyolOA 1UXYvDa7MbPhMtdNm8qnwtKs1Vsyk1VkErM+5cIe+zTT6WYQcmZMRjCtWGiFTzk9W6Mdlskk WRTKhKNgokTsgcy1ecaCBUZWxv/SyXgD81+rwRi9b8Px+1reg43ayxi8sV7jrI1feybbABEB AAHNJ01pY2hhZWwgU3Ryw7ZkZXIgPG1pY2hhZWxAc3Ryb2VkZXIuY29tPsLAdwQTAQgAIQUC Vt2dGgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAH3HrjaovJOFpTCACjO773gcmJ KvzjiNpUFl/gANyaJgIq4VbMQ7VthRb1F9X6YbdJ6Z99ntyESjGFCpjofcSomr2vJDpv6ht+ lY33yo20YwsMpqe2OeId0jPybG+FtabKjgBNoAk7iqnBGUvE4t0dz0n1LQVCQR2jxyTKmcNq OYpsRZ3H+6kWwJMuVgsNZglINVZ8JgV5QuLYN5jhYz+pOuFnU11bV6nWREvzZXzebe7g7Zus 6AsWjtJ0lDvgBNzLlF3/eFrVch6Bejs0SvuFseIdZQk+4YU6Rb8xul/jDFXIfo7eTmijO3dV T5AmC1cUi8czncwpgAJnEH8vYv23RoN/aw2gSMCS2huIzsBNBFbdnRoBCAC7L1cTVBVZZuM/ yxSUM5CsgGBlTD1Cr7C2ngZFsHSYXVLq6NUB8GZA2iLK96CrwnFw4/Jjz4llOjc50iVRMQKL RyFWOJAMrpPq2ew5T+Uoo524D//dwVbqkFVVuvM8NPiKIDyPGCjP+acM1D8hXwhOXgQ8Iz8Q 3/GRSYjitn9JrkF0ia2nhariznBKVu0LDffxF/hOCx45+QRR2/rYYlshfZMB7nEJX9P+hVfM CSzltz9Z8CldeUbiJvnyrISReR2XBw9oh8JkIUP0BtpIaify9A7EfzOk+W9BUnWe+YwdSUsB fJxOhSv+umyW5GMqZGFu+4oYnkzbe+1LUs1JarCtABEBAAHCwF8EGAEIAAkFAlbdnRoCGwwA CgkQB9x642qLyTjEUgf+JX6Atatl/QKe37yCj1OZYNPd3B0rPLJRF5mEmrADRXLZC9+uFeDS Wxxln040gnR6rjBHrRcvVmlTDiZY26iuL16+V+0/aZ9uyXNQSzk2cwDSiI/8gvr72Y+FN5fh cGXpeNHxHilYc9onzDhxyE76cwzqTKm4q2ULIH2u9IHQ5O86Fv6nHPYhe2fy1bhQapNwi/Xl 3G3i2WNH/w7m+1zWU1IddZOjmXzoxLT1BATwXGa0Tt5RjVb2mM1Wg3Zj6kqFkF2vvKcvrwj0 q0Ap5uyfN5m0uWzQMCMoaV9HQf7f5MkS1lnwBqDgnojjVAieX5uk7olUiRuPKHMfhvXulYP8 AA==
- Cc: openldap-technical@openldap.org
- In-reply-to: <CAKTSSTi6S-HaiYDLnNOXc1RYLLvbCm3EnhCF1LYa8ovAKSBkSw@mail.gmail.com>
- Openpgp: preference=signencrypt
- References: <CAKTSSThrnVZ+6ELexAOMhUgzPHGaJs=p3rdC1TL3EHEYcsvt+A@mail.gmail.com> <155dbd7d-c3f4-fe5e-601e-c2e3d14d0805@stroeder.com> <CAKTSSTi6S-HaiYDLnNOXc1RYLLvbCm3EnhCF1LYa8ovAKSBkSw@mail.gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
On 10/23/18 1:19 PM, Philip Colmer wrote:
> On Tue, 23 Oct 2018 at 11:08, Michael Ströder <michael@stroeder.com> wrote:
>> Summary:
>> You have to grant search privilege to all attributes used in the filter
>> and read access to pseudo-attribute 'entry' and all other attributes to
>> be returned in search results.
>>
>> Attribute 'entry' is missing here?
>
> It is, but adding it hasn't fixed the problem, I'm afraid.
>
> For "ou:dn:=external-community" to work, what is the search actually
> looking at? I tried adding "dn" to the list of attributes to be
> readable but that then failed to import as a valid configuration.
You would rather have to grant search access to 'entryDN'.
But sorry, I will not debug your ACLs.
You can start slapd with debug level for ACL debuggging.
Example:
slapd -h ... -d stats,acl
This will give you many log lines with details which permission is
requested for which entry and attribute.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature