[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control and Search

To: bert hubert <ahu@casema.net>
Subject: Re: access control and Search
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 07 Dec 1999 06:30:55 -0800
Cc: "Benjamin de los Angeles Jr ." <bench@surfshop.net.ph>, OpenLDAP BUGS Mailing List <openldap-bugs@OpenLDAP.org>
In-reply-to: <19991207120935.A26156@server.ds9a.tudelft.nl>
References: <19991207180103.A30617@mactan.surfshop.net.ph> <19991207180103.A30617@mactan.surfshop.net.ph>

At 12:09 PM 12/7/99 +0100, bert hubert wrote:
>On Tue, Dec 07, 1999 at 06:01:03PM +0800, Benjamin de los Angeles Jr . wrote:
>
>> My questions are:
>> 
>> 1. Why is it that I'm not granted access even though the access 
>>    for * is "search"?  What are the limitations of "search" access?
>> 2. Why is it the return code is 0?  Why not 50 (0x32)?  which tells
>>    that my access right is insufficient. 
>> 3. Is there something wrong with my search query?
>
>AFAIK, 'search' means that you can *find* a record,
>so that you can bind to it.

'search' means you can apply a 'search' filter to it, 'read'
says search can return it to the client.

For example:
	access attr=givenName
		by * search

means that you can execute '(givenName=foo)' but that the
givenName attribute will not be returned as you don't have read
access.

Search has NOTHING to do with bind.  In OpenLDAP 1.x, no access
controls affect bind.

References:
- access control and Search
  - From: "Benjamin de los Angeles Jr ." <bench@surfshop.net.ph>
- Re: access control and Search
  - From: bert hubert <ahu@casema.net>

Prev by Date: Re: access control and Search
Next by Date: Re: Substring searches failing - fixed by reading, deleting and adding object (ITS#386)
Index(es):
- Chronological
- Thread