BÖSCH Christian wrote: >> On 26 Jan 2016, at 12:23 , Michael Ströder <[email protected]> wrote: >> >> BÖSCH Christian wrote: >>> i’m using this acl: >>> >>> {0}to filter=(objectclass=person) attrs=Hidden by >>> group.exact=“cn=group,ou=groups,o=abc.net” none >>> >>> but members of the group can still access the attribute Hidden. >>> with any filter it does not work. >>> if i use a single dn it works. >>> >>> seems to me filters do not work? >> >> ..or there is another ACL applied before reaching this ACL. > > no, it’s the first acl entry.
Without seeing the complete configuration one can only guess. Note that global ACLs in cn=config are also applied. > below is the debug. do you see something suspicious? I won't debug your ACLs. It's your homework, especially because you're the only one who has all the necessary information. > Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden > Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry > "uid=user2,ou=people,o=abc.net", attr "Hidden" requested > Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by > "uid=user1,ou=people,o=abc.net", (=0) > Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: > cn=group,ou=groups,o=abc.net > Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: > "cn=group,ou=groups,o=abc.net" > Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > > OP 256 > Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying > read(=rscxd) (stop) > Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) > Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access > granted by read(=rscxd) > Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access > granted by read(=rscxd) > Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection! You have to check why there is read access granted. Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
