I have a DIT like
c=de
- o=Demo
- ou=user
- ou=company
I want to deny anonymous access to the ou=user branch.
My ACL is:
access to dn=".*, ou=user, o=Demo, c=DE"
by dn="cn=user1, ou=user, o=Demo, c=DE" write
by anonymous auth
by * none
access to dn=".*,c=DE"
by dn="cn=user1, ou=user, o=Demo, c=DE" write
by * read
When doing an anonymous subtree search with base "ou=user, o=Demo, c=DE"
I still got all entries under that branch.
In the log I read:
access_allowed: search access to "ou=user,o=MailPass Demo, c=DE"
"objectClass" requested
dnpat: [1] .*, ou=user, o=Demo, c=DE nsub: 0
dnpat: [2] .*,c=DE nsub: 0
acl_get: [2] matched
In my opinion ACL1 should match.
What have I misunderstood or done wrong?