Hi
im trying to get an openldap server (2.3.) running with acl restricting access
to special attributes
tb_READ should be allowed to search in the ou people but must not read any
attributes then telephoneNumber, cn, sn, uid...
so i added this access rule to my slapd.conf :
..
access to dn.subtree="ou=people,dc=example,dc=com"
attrs=telephoneNumber,cn,sn,mail,roomNumber,uid,givenName
by dn="cn=tb_READ,ou=functional,dc=example,dc=com" read
..
after restarting slapd I checked the result of ldapsearch but it returns
nothing :
ldapsearch -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -b
"ou=people,dc=example,dc=com" -W
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 3
result: 0 Success
accessing the attributes by ldapcompare works fine :
ldapcompare -x -D "cn=tb_READ,ou=functional,dc=example,dc=com" -W
"uid=kheine,ou=people,dc=example,dc=com" telephoneNumber:1234
returns TRUE
so the rule seems to work for comparing, but not for searching entries in
ou=people
i searched in the archives for more examples of using "attrs" and "dn.subtree",
but found only configs where it seems to work this way
the admin guide (2.3.) itself shows this possibility on "6.3 Access Control" so
i can not find the reason why my configuration is not working.
Please help me finding an approach to solve this problem, thanks for every
advice
___________________________________
NOCC, http://nocc.sourceforge.net
