[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL to permit access to some attributes
Hello,
I'm testing an Openldap 2.1.27 server and I need
give read access to the mail attribute of each entry
without exposing other attributes.
It seems easy to do and after several tries I don't see
where the error is.
This is my current acl:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to * attrs=mail
by * read
but all searchs of the mail attribute return an
empty response.
Any idea about where the problem is??
thank you.
/-------/
ldapsearch -x -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" '(mail=*)'
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (mail=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
/-------/
# /usr/local/libexec/slapd -4 -h ldap:// -d 224
bdb_initialize: Sleepycat Software: Berkeley DB 4.1.25: (December 19, 2002)
reading config file /usr/local/etc/openldap/slapd.conf
line 6 (include /usr/local/etc/openldap/schema/core.schema)
reading config file /usr/local/etc/openldap/schema/core.schema
*** snip subschema ****
line 11 (schemacheck on)
line 12 (defaultsearchbase dc=fadesa,dc=es)
line 23 (pidfile /var/run/slapd.pid)
line 24 (argsfile /var/run/slapd.args)
line 26 (sasl-secprops none)
line 56 (access to dn.base="" by * read)
Global ACL: access to *
by * read(=rscx)
line 57 (access to dn.base="cn=Subschema" by * read)
Global ACL: access to dn.base=cn=subschema
by * read(=rscx)
line 63 (access to * attrs=mail by * read )
Global ACL: access to attrs=mail
by * read(=rscx)
line 90 (database bdb)
bdb_db_init: Initializing BDB database
line 91 (suffix "dc=fadesa,dc=es")
line 92 (rootdn "cn=jefazo,dc=fadesa,dc=es")
line 97 (rootpw ***)
line 99 (password-hash {CLEARTEXT})
line 104 (directory /var/db/openldap-data)
line 107 (index objectClass eq)
index objectClass 0x0004
line 108 (index uid eq)
index uid 0x0004
line 109 (index cn eq)
index cn 0x0004
line 112 (lastmod yes)
line 115 (cachesize 200000)
line 121 (idletimeout 900)
slapd starting
str2filter "(objectclass=*)"
begin get_filter
PRESENT
end get_filter 0
begin get_filter
PRESENT
end get_filter 0
=> bdb_filter_candidates
AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
DN SUBTREE
<= bdb_filter_candidates: id=-1 first=1 last=8
=> bdb_filter_candidates
OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
EQUALITY
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
PRESENT
<= bdb_filter_candidates: id=-1 first=1 last=8
<= bdb_list_candidates: id=-1 first=1 last=8
<= bdb_filter_candidates: id=-1 first=1 last=8
<= bdb_list_candidates: id=-1 first=1 last=8
<= bdb_filter_candidates: id=-1 first=1 last=8
=> test_filter
PRESENT
=> access_allowed: search access to "dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
PRESENT
=> access_allowed: search access to "uid=00002,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00002,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00002,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
PRESENT
=> access_allowed: search access to "uid=00001,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00001,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00001,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> access_allowed: read access to "uid=00001,dc=fadesa,dc=es" "entry" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr entry
<= acl_get: done.
=> access_allowed: no more rules
send_search_entry: access to entry not allowed
=> test_filter
PRESENT
=> access_allowed: search access to "uid=00004,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00004,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00004,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
PRESENT
=> access_allowed: search access to "uid=00003,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00003,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00003,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 5
=> test_filter
PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00010,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00010,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> access_allowed: read access to "uid=00010,dc=fadesa,dc=es" "entry" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> acl_get: [3] check attr entry
<= acl_get: done.
=> access_allowed: no more rules
send_search_entry: access to entry not allowed
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------